vsftpd.conf for FTP over SSL

#============================================================================
# CONFIG FOR VSFTPD SERVER THAT SECURELY ALLOWS LOCAL USER CHROOT FTPS ACCESS
#============================================================================
# INSTALL COMMAND: 
#     sudo apt update && apt install -y vsftpd
#
# GENERATE CERTIFICATES IF YOU WISH TO USE SSL
#     sudo openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/certs/vsftpd.crt -days 365 -newkey rsa:2048
#
# CREATE DIRECTORY FOR LOCAL USERS TO UPLOAD AND DOWNLOAD FROM
# NOTE: The below creates the FTP home directory in user home directories
#     sudo -i
#     useradd ftpsecure
#     USERS=$(ls /home)
#     for u in $USERS; do
#             echo $u >> /etc/vsftpd.userlist
#             mkdir -p /home/$u/ftp/files
#             chown nobody:nogroup /home/$u/ftp
#             chown $u:$u /home/$u/ftp/files
#             chmod a-w /home/$u/ftp
#      done
#
# DOWNLOAD AND USE THIS CONFIGURATION FILE
#     sudo mv /etc/vsftpd.conf /etc/vsftpd.conf.orig && echo "[*] Created backup of original /etc/vsftpd.conf file at /etc/vsftpd.conf.orig"
#     sudo wget https://raw.githubusercontent.com/OsbornePro/ConfigTemplates/main/vsftpd.conf%20for%20FTP%20over%20SSL -O /etc/vsftpd.conf
#     sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak && echo "[*] Created backup of active /etc/vsftpd.conf file at /etc/vsftpd.conf.bak"
#
# CONFIGURE FIREWALL RULES TO ALLOW FTP USING WHATEVER FIREWALL YOu USe
#   FIREWALL-CMD
#        sudo firewall-cmd --zone=public --add-port=21/tcp --permanent
#        sudo firewall-cmd --zone=public --add-port=20/tcp --permanent
#        sudo firewall-cmd --zone=public --add-port=40000-41000/tcp
#        sudo firewall-cmd --reload
#   IPTABLES
#        iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#        iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
#        iptables -A OUTPUT -p tcp -m tcp --sport 21 -j ACCEPT
#        iptables -A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT
#        iptables -A INPUT -p tcp -m tcp --dport 40000:41000 -j ACCEPT
#        iptables -A OUTPUT -p tcp -m tcp --sport 40000:41000 -j ACCEPT
#        sudo service iptables restart
#   UFW
#        sudo ufw allow 20:21/tcp
#        sudo ufw allow 40000:41000/tcp
#        sudo ufw reload
#        OR
#        sudo ufw allow ftp-data
#        sudo ufw allow ftp
#        sudo ufw reload
#
#------------------------------------------------------------------------------
# CONFIGURED SETTINGS
#------------------------------------------------------------------------------
# LISTENERS
listen=YES
listen_port=21
listen_ipv6=NO
session_support=YES
pasv_enable=YES
connect_from_port_20=YES
ftp_data_port=20
pasv_min_port=40000
pasv_max_port=41000

# SET THE BELOW VALUE IF YOUR FTP SERVER IS PUBLICLY ACCESSIBLE
#pasv_address=<Public IP Address or hostname>
#pasv_addr_resolve=YES

# RESTRICT COMMANDS THAT CAN BE EXECUTED
#cmds_allowed=ABOR,ACCT,ALLO,APPE,BINARY,CDUP,CWD,DELE,EPRT,EPSV,FEAT,HELP,LIST,MDTM,MODE,NLST,NOOP,OPTS,PASS,PASV,PORT,PWD,QUIT,REIN,REST,RETR,RMD,RNFR,RNTO,SITE,SIZE,SMNT,STAT,STOR,STOU,STRU,SYST,TYPE,USER,XCUP,XCWD,XPWD,XRMD
#cmds_denied=PUT,MPUT,RM,RMD,RMDIR,XRMD,MKD,MKDIR,XMKD

# PERMISSIONS
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
user_sub_token=$USER
local_root=/home/$USER/ftp
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
allow_writeable_chroot=NO
nopriv_user=ftpsecure
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
ls_recurse_enable=NO

# LOGGING
syslog_enable=NO
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=NO
log_ftp_protocol=YES
debug_ssl=YES

# SESSIONS
idle_session_timeout=600
data_connection_timeout=120

# CHAR
ascii_upload_enable=NO
ascii_download_enable=NO
#utf8_filesystem=YES

# BANNER
ftpd_banner=OsbornePro LLC. FTP over SSL Server
# OR You can use a file to load a banner
#banner_file=/etc/vsftpd.welcome_banner

# SERVICE
pam_service_name=ftp

# SSL SETTINGS
rsa_cert_file=/etc/ssl/certs/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
ssl_ciphers=HIGH
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO

# SET THIS TO YES IF YOU ARE USING PORT 990
implicit_ssl=NO