install.doctor icon indicating copy to clipboard operation
install.doctor copied to clipboard

Published 20 hours ago verified publisher icon megabyte-labs

Create Optimized SFTPGo Configuration

Open ProfessorManhattan opened this issue 2 years ago • 4 comments
trafficstars

💡 Feature/Idea

Create an optimized SFTPGo configuration so SFTPGo can be used as a service, providing SFTP access and more. The configuration is located at home/dot_local/etc/sftpgo/sftpgo.json.tmpl.

  1. Configure ACME to automatically acquire LetsEncrypt certificates. We should leverage the CloudFlare secrets to automatically handle the validation: https://github.com/go-acme/lego/blob/master/providers/dns/cloudflare/cloudflare.go
  2. Do research on GitHub and look for other configurations and incorporate useful settings from them. For instance, optimize the defender configuration.
  3. Configure SFTPGo to utilize CloudFlare tunnels. This will involve adding a section to home/dot_local/etc/cloudflared
  4. Set up branding to use Install Doctor logos etc.
  5. Look into whether we can provide access to the files stored in the S3 buckets through the SFTPGo interfaces (like the web interface) --- see https://github.com/drakkan/sftpgo/blob/main/docs/s3.md
  6. Scope the access to be restricted to the user's home folder
  7. Configure to use MOTD banner
  8. More.. research and figure out the optimal settings that integrate with our current system
  9. Configure SFTPGo to use JumpCloud as the LDAP provider
  10. Look into implementing https://github.com/drakkan/sftpgo/blob/main/docs/sftp-subsystem.md --- are there any drawbacks from implementing this feature?

SFTPGo has a lot of powerful options and I'd like to set up all the ones we can configure headlessly.

:thumbsup: Can you contribute?

No response

ProfessorManhattan avatar Aug 04 '23 04:08 ProfessorManhattan

  1. Configure ACME to automatically acquire LetsEncrypt certificates. We should leverage the CloudFlare secrets to automatically handle the validation: https://github.com/go-acme/lego/blob/master/providers/dns/cloudflare/cloudflare.go

For using DNS verification, it is necessary to use the lego (or another) tool. The ACME protocol support built into SFTPgo supports only HTTP-01 and TLS-ALPN-01 - see.

  1. Do research on GitHub and look for other configurations and incorporate useful settings from them. For instance, optimize the defender configuration.

Did not find much custom configurations. We may have to use the settings that works best for our setup.

  1. Configure SFTPGo to utilize CloudFlare tunnels

This is complete.

enggnr avatar Nov 15 '23 13:11 enggnr

  1. Set up branding to use Install Doctor logos etc.

This is done. Updated the config to use Megabye/ID logos and favicon.

  1. Look into whether we can provide access to the files stored in the S3 buckets through the SFTPGo interfaces (like the web interface) --- see https://github.com/drakkan/sftpgo/blob/main/docs/s3.md

Yes, this is possible by creating the user with S3 as the backend, or providing a virtual folder. Do you have any specific setting in mind for this - should it be the home folder for a given user, or have multiple users have folders in a given bucket, etc.? There are quite a few options available.

  1. Scope the access to be restricted to the user's home folder

It appears that this is the default. SFTPGo users have home/virtual folders configured in their account. This can be a local folder, remote folder or a S3 compatible backend and the actions they perform is restricted to these. This is controlled by the permissions granted.

  1. Configure to use MOTD banner

Added a banner in the config folder of sftpgo. For now it is the same as the banner for SSH.

  1. Look into implementing https://github.com/drakkan/sftpgo/blob/main/docs/sftp-subsystem.md --- are there any drawbacks from implementing this feature?

I read in some of the issues where the developer says they do not recommend this. It has some limitation when compared to using standalone SFTPGo - like restricted data providers, unable to limit user sessions and reduced ciphers. It may be best to have stfpgo completely separated from ssh.

enggnr avatar Nov 21 '23 08:11 enggnr

  1. More.. research and figure out the optimal settings that integrate with our current system
  • Added integration with Netdata
  • ~Yet to add Vault integration~. Hashicorp vault integration needs Enterprise edition. Integrating with AWS or Azure KMS solutions is possible. This can be taken up as an enhancement when needed.

enggnr avatar Nov 22 '23 06:11 enggnr

  1. Configure SFTPGo to use JumpCloud as the LDAP provider

This is complete. Please review the settings where the Bind DN information is passed to see if this can be improved.

enggnr avatar Nov 24 '23 13:11 enggnr