use Haproxy to publish an internal SFTP server

Hi guys,
In this post we will see how to publish safely on internet an internal SFTP server passing trough Haproxy.
In the example we will allow only a particular external IP increasing the security.


Let’s prepare the internal backend

An example of my SSH configuration  (edit the file  /etc/ssh/sshd_config )

ChrootDirectory none
# override default of no subsystems
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
Subsystem       sftp    internal-sftp

#All users of our internal LAN can try to access, only the user “puppet” can try to access from (our HAPROXY server)
AllowUsers *@192.168.0*
AllowUsers puppet@

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
Match User puppet
ChrootDirectory /home/puppet
ForceCommand internal-sftp

As you can see we have put the user puppet in a chroot jail. In this way the user cannot navigate freely into the file-system.

Remember to:
1. configure correctly the permission for /home/puppet.  Since is a chroot jail must have these permissions:
drwxr-xr-x 5 root root 4096 Aug 28 2013 puppet
the owner must be root
Inside /home/puppet we will create folders owned by puppet.

2. Disable a login shell for the user puppet. In this way he will be able only to upload and download files but not to use a terminal

[root@myfileserver home]# cat /etc/passwd | grep puppet

Ok, now the Haproxy configuration. We need only a LISTEN and a BACKEND sections:

listen sftp-server
bind :2121
mode tcp
acl white_list src
tcp-request content accept if white_list
tcp-request content reject
default_backend sftp-server01

backend sftp-server01
mode tcp
server ftp01 check port 22

some explanations..
bind :2121 # HAPROXY will listen on port 2121
mode tcp #set TCP protocol
acl white_list src #define an ACL.Is like an array of IP addresses
tcp-request content accept if white_list #the function “tcp-request content accept” will run only if whit_list is TRUE. So, only and can ask to access to the backend
tcp-request content reject #the others IPs are not allowed
default_backend sftp-server01 #redirect the call to the sftp backend


let’s assume that you external haproxy is known as by the DNS.
In order to connect to the SFTP, open a client ( like FileZilla ) and point to:


SFTP:// username:puppet password:puppet.123




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s