use Haproxy to publish an internal SFTP
In this post we will see how to publish safely on internet an internal SFTP server passing trough Haproxy.
In the example we will allow only a particular external IP increasing the security.
Let’s prepare the internal backend
An example of my SSH configuration (edit the file /etc/ssh/sshd_config )
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
#All users of our internal LAN can try to access, only the user “puppet” can try to access from 10.12.21.32 (our HAPROXY server)
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Match User puppet
As you can see we have put the user puppet in a chroot jail. In this way the user cannot navigate freely into the file-system.
1. configure correctly the permission for /home/puppet. Since is a chroot jail must have these permissions:
drwxr—– 5 root root 4096 Aug 28 2013 puppet
the owner must be root
Inside /home/puppet we will create folders owned by puppet.
2. Disable a login shell for the user puppet. In this way he will be able only to upload and download files but not to use a terminal
[root@myfileserver home]# cat /etc/passwd | grep puppet
Ok, now the Haproxy configuration. We need only a LISTEN and a BACKEND sections:
acl white_list src 18.104.22.168 22.214.171.124
tcp-request content accept if white_list
tcp-request content reject
server ftp01 myfileserver.foo.org:22 check port 22
bind :2121 # HAPROXY will listen on port 2121
mode tcp #set TCP protocol
acl white_list src 126.96.36.199 188.8.131.52 #define an ACL.Is like an array of IP addresses
tcp-request content accept if white_list #the function “tcp-request content accept” will run only if whit_list is TRUE. So, only 184.108.40.206 and 220.127.116.11 can ask to access to the backend
tcp-request content reject #the others IPs are not allowed
default_backend sftp-server01 #redirect the call to the sftp backend
let’s assume that you external haproxy is known as noodles.foo.org by the DNS.
In order to connect to the SFTP, open a client ( like FileZilla ) and point to:
SFTP://noodles.foo.org:2121 username:puppet password:puppet.123