(You must already be logged in to Gitlab or you’ll hit a 404)
Fast forward to the scenario where you have a web hosting client who has designed their own site and would like to upload it themselves. However it is not necessary to grant them access to all domains on the machine, or even the config or mailboxes section of their own domain.
This is typical for a shared hosting client, and the solution is to give them FTP access. This limits them to the files inside the
public/ directory, i.e. only those associated with the website.
Please be aware that despite being limited to the
public/directory when logging in over FTP, it is trivial for the user to read files elsewhere on the filesystem, for example by using specially written PHP scripts. It is advisable to grant access only to trusted people.
In this example, access to the content of the
my-brilliant-site.com site is being given to another user, but they are only to have access to
/srv/my-brilliant-site.com/public/. To set this up, an FTP password is being created.
Connect to your machine using FileZilla.
Create a file
ftp-password a that contains a secure password your
shared hosting client will use, ensure that the
config/ directory is selected b and upload the file, c. Make sure that there is no txt extension on this file. config/ftp-password
Access to the machine can now be granted over FTP using the username
my-brilliant-site.com and the password being the contents of
We will now test the connection to make sure it works, also using FileZilla, since it can be used to connect via FTP as well as SFTP.
Make sure FileZilla has disconnected from the machine.
The host a and the user b are both the domain name, in this case
my-brilliant-site.com. The password c is the contents of the
ftp-password file and for FTP the port number must be set to 21, d.
Once you connect you’ll notice that you only have access to directories
public/ directory (here represented as “/”) of the
my-brilliant-site.com/ directory tree, which is all you’d need if your
role was limited to maintaining or setting up a web site.
It is possible to limit the amount of data that can be kept in a domain’s
public/ directory using an FTP quota. This is done by creating a file inside the domain’s
config/ directory called
ftp-quota. Inside this file should be a number of bytes at which the quota is set.
The number can have a suffix of
T representing kilo-, mega-, giga-, or terabytes respectively.
For example, to prevent the author of my-brilliant-site.com from putting more than 150MB inside their
public/ directory, create a file called
/srv/my-brilliant-site.com/config/ftp-quota with the contents
150M. This will limit their space usage to 150,000,000 bytes.
Please be aware that the FTP quota will include all log data from the web-server in
public/logs/, as well as the automatically generated statistics in
ftp-password file will set up just one user for the whole domain. If you
would like more fine-grained control over who can access what, then you can use
This section describes how to set up distinct per-domain FTP/FTPS users. Where
ftp-password setup you may have logged in with a user like:
With this method you can have many users, of the form:
firstname.lastname@example.org email@example.com firstname.lastname@example.org
Users can be limited to specific directories, and quotas imposed on each, so
email@example.com may be limited to eg,
htdocs, which works out
/srv/my-brilliant-site.com/public/htdocs. These domain-based users do
not have SSH/SFTP access.
Each user is defined using four fields, added to
Configuration for giving
bob access and a quota of 10 megabytes will
look like so:
This can be done for any number of users - all are specified in the same
ftp-users file. In this example, Bob would log in with the FTP username of
firstname.lastname@example.org and the password
your-password-here, and he would
only have access to
/srv/my-brilliant-site.com/public/htdocs, which would be
limited in size to 10 megabytes of data.