search

megabyte-labs / install.doctor

A glorious combination of application / theme settings and a performant cross-platform, desktop-oriented software suite.
https://megabyte.space
Other
99 stars 22 forks source link

Create Optimized SFTPGo Configuration #80

Open ProfessorManhattan opened 1 year ago

ProfessorManhattan commented 1 year ago

💡 Feature/Idea

Create an optimized SFTPGo configuration so SFTPGo can be used as a service, providing SFTP access and more. The configuration is located at home/dot_local/etc/sftpgo/sftpgo.json.tmpl.

  1. Configure ACME to automatically acquire LetsEncrypt certificates. We should leverage the CloudFlare secrets to automatically handle the validation: https://github.com/go-acme/lego/blob/master/providers/dns/cloudflare/cloudflare.go
  2. Do research on GitHub and look for other configurations and incorporate useful settings from them. For instance, optimize the defender configuration.
  3. Configure SFTPGo to utilize CloudFlare tunnels. This will involve adding a section to home/dot_local/etc/cloudflared
  4. Set up branding to use Install Doctor logos etc.
  5. Look into whether we can provide access to the files stored in the S3 buckets through the SFTPGo interfaces (like the web interface) --- see https://github.com/drakkan/sftpgo/blob/main/docs/s3.md
  6. Scope the access to be restricted to the user's home folder
  7. Configure to use MOTD banner
  8. More.. research and figure out the optimal settings that integrate with our current system
  9. Configure SFTPGo to use JumpCloud as the LDAP provider
  10. Look into implementing https://github.com/drakkan/sftpgo/blob/main/docs/sftp-subsystem.md --- are there any drawbacks from implementing this feature?

SFTPGo has a lot of powerful options and I'd like to set up all the ones we can configure headlessly.

:thumbsup: Can you contribute?

No response

enggnr commented 9 months ago
  1. Configure ACME to automatically acquire LetsEncrypt certificates. We should leverage the CloudFlare secrets to automatically handle the validation: https://github.com/go-acme/lego/blob/master/providers/dns/cloudflare/cloudflare.go

For using DNS verification, it is necessary to use the lego (or another) tool. The ACME protocol support built into SFTPgo supports only HTTP-01 and TLS-ALPN-01 - see.

  1. Do research on GitHub and look for other configurations and incorporate useful settings from them. For instance, optimize the defender configuration.

Did not find much custom configurations. We may have to use the settings that works best for our setup.

  1. Configure SFTPGo to utilize CloudFlare tunnels

This is complete.

enggnr commented 9 months ago
  1. Set up branding to use Install Doctor logos etc.

This is done. Updated the config to use Megabye/ID logos and favicon.

  1. Look into whether we can provide access to the files stored in the S3 buckets through the SFTPGo interfaces (like the web interface) --- see https://github.com/drakkan/sftpgo/blob/main/docs/s3.md

Yes, this is possible by creating the user with S3 as the backend, or providing a virtual folder. Do you have any specific setting in mind for this - should it be the home folder for a given user, or have multiple users have folders in a given bucket, etc.? There are quite a few options available.

  1. Scope the access to be restricted to the user's home folder

It appears that this is the default. SFTPGo users have home/virtual folders configured in their account. This can be a local folder, remote folder or a S3 compatible backend and the actions they perform is restricted to these. This is controlled by the permissions granted.

  1. Configure to use MOTD banner

Added a banner in the config folder of sftpgo. For now it is the same as the banner for SSH.

  1. Look into implementing https://github.com/drakkan/sftpgo/blob/main/docs/sftp-subsystem.md --- are there any drawbacks from implementing this feature?

I read in some of the issues where the developer says they do not recommend this. It has some limitation when compared to using standalone SFTPGo - like restricted data providers, unable to limit user sessions and reduced ciphers. It may be best to have stfpgo completely separated from ssh.

enggnr commented 9 months ago
  1. More.. research and figure out the optimal settings that integrate with our current system
enggnr commented 9 months ago
  1. Configure SFTPGo to use JumpCloud as the LDAP provider

This is complete. Please review the settings where the Bind DN information is passed to see if this can be improved.