In this post we will see how to publish safely on internet an internal SFTP server passing trough Haproxy.
In the example we will allow only a particular external IP increasing the security.
Let’s prepare the internal backend
An example of my SSH configuration (edit the file /etc/ssh/sshd_config )
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
#All users of our internal LAN can try to access, only the user “puppet” can try to access from 10.12.21.32 (our HAPROXY server)
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Match User puppet
As you can see we have put the user puppet in a chroot jail. In this way the user cannot navigate freely into the file-system.
1. configure correctly the permission for /home/puppet. Since is a chroot jail must have these permissions:
drwxr-xr-x 5 root root 4096 Aug 28 2013 puppet
the owner must be root
Inside /home/puppet we will create folders owned by puppet.
2. Disable a login shell for the user puppet. In this way he will be able only to upload and download files but not to use a terminal
[root@myfileserver home]# cat /etc/passwd | grep puppet
Ok, now the Haproxy configuration. We need only a LISTEN and a BACKEND sections:
acl white_list src 18.104.22.168 22.214.171.124
tcp-request content accept if white_list
tcp-request content reject
server ftp01 myfileserver.foo.org:22 check port 22
bind :2121 # HAPROXY will listen on port 2121
mode tcp #set TCP protocol
acl white_list src 126.96.36.199 188.8.131.52 #define an ACL.Is like an array of IP addresses
tcp-request content accept if white_list #the function “tcp-request content accept” will run only if whit_list is TRUE. So, only 184.108.40.206 and 220.127.116.11 can ask to access to the backend
tcp-request content reject #the others IPs are not allowed
default_backend sftp-server01 #redirect the call to the sftp backend
let’s assume that you external haproxy is known as noodles.foo.org by the DNS.
In order to connect to the SFTP, open a client ( like FileZilla ) and point to:
SFTP://noodles.foo.org:2121 username:puppet password:puppet.123