Deploying to gh-pages from @ ec3c1be 🚀

nginx-reverse-proxy/index.html

@@ -1922,7 +1922,8 @@
 
 
 <h1 id="nginx-reverse-proxy-ovh">NGINX Reverse proxy (OVH)<a class="headerlink" href="#nginx-reverse-proxy-ovh" title="Permanent link">#</a></h1>
-<p>At OVH and at Free we have a LXC container dedicated to reverse proxy http/https applications. It serves applications that are located in servers at the same provider (and same Proxmox cluster).</p>
+<p>At OVH and at Free we have a LXC container dedicated to reverse proxy http/https applications.</p>
+<p>It serves applications that are located in servers at the same provider (and same Proxmox cluster).</p>
 <h2 id="network-specific-interface">Network specific interface<a class="headerlink" href="#network-specific-interface" title="Permanent link">#</a></h2>
 <p>It as a specific network configurations with two ethernet address:</p>
 <ul>

producers_sftp/index.html

@@ -1726,10 +1726,26 @@
 <h1 id="producers-sftp">Producers SFTP<a class="headerlink" href="#producers-sftp" title="Permanent link">#</a></h1>
 <p>We have a producer SFTP which is part of the producer platform.</p>
 <p>This sftp is used by producers who send files for regular automated updates of their products.</p>
-<p>The sftp is located on off1.openfoodfacts.org</p>
-<p>The <code>/home/sftp</code> folder links to <code>/srv/sftp/</code> and contains home for sftp users.</p>
+<p>The sftp is located on the reverse proxy container (because it needs it's own network interface).</p>
+<p>The sftp directory is a ZFS dataset in <code>zfs-hdd/off-pro/sftp</code>.
+It is mounted as <code>/mnt/off-pro/sftp</code>:</p>
+<ul>
+<li>in the reverse proxy to give access to producers themselves (through sftp)</li>
+<li>and in off-pro container to give access to files to the producers platform.</li>
+</ul>
+<p>In the reverse proxy container, the sftp is configured in /etc/ssh/sshd_config.d/sftp.conf which is a symlink to <code>confs/proxy-off/sshd_config/sftp.conf</code> in this repository.</p>
+<p>If a producer want's to connect with a key, put the public key in a file named <code>/mnt/off-pro/sftp/&lt;username&gt;_authorized_keys</code>.</p>
 <h2 id="adding-a-new-sftp-user">Adding a new sftp user<a class="headerlink" href="#adding-a-new-sftp-user" title="Permanent link">#</a></h2>
-<p>Use the script <a href="../scripts/off1/add_sftp_user.pl"><code>add_sftp_user.pl</code></a> (present in <code>/home/script</code>) with user root.</p>
+<p>Use the script <a href="../scripts/off1/add_sftp_user.pl"><code>add_sftp_user.pl</code></a> (present in <code>script/off-proxy</code>) with user root in the reverse proxy container.</p>
+<p><strong>:fire: IMPORTANT :fire::</strong> every user <strong>must be in <code>sftponly</code> group</strong> and only in this one.</p>
+<p>You may eventually communicate the server key fingerprint to the producer 
+(get it with <code>ssh-keyscan $(hostname) | ssh-keygen -lf -</code>)</p>
+<p>It's better to test access before sending the mail to the producer:</p>
+<div class="highlight"><pre><span></span><code>lftp<span class="w"> </span>sftp://[email protected]
+password:
+&gt;<span class="w"> </span>ls
+</code></pre></div>
+<p>(issue at least an <code>ls</code> because <code>lftp</code> only try to connect at the first command)</p>