feat: new sftp configuration

openfoodfacts · Nov 29, 2023 · ec7aac2 · ec7aac2
1 parent 7d8a65c
commit ec7aac2
Show file tree

Hide file tree

Showing 6 changed files with 166 additions and 330 deletions.
diff --git a/confs/proxy-off/sshd_config/sftp b/confs/proxy-off/sshd_config/sftp
diff --git a/confs/proxy-off/sshd_config/sftp.conf b/confs/proxy-off/sshd_config/sftp.conf
@@ -0,0 +1,17 @@
+# Configuration of sftp users
+#
+# sftp is used by producers or other data providers to submit data to integrate to openfoodfacts
+#
+
+# sftp configuration, for all users of sftponly group
+Match Group sftponly
+	# %u is local use id
+	# force user to stay in is directory
+	ChrootDirectory /mnt/off-pro/sftp/%u
+	# public keys are in sftp directory
+	AuthorizedKeysFile /mnt/off-pro/sftp/%u_authorized_keys
+	# some security parameters
+	X11Forwarding no
+	AllowTcpForwarding no
+	# only allow sftp
+	ForceCommand internal-sftp
diff --git a/docs/nginx-reverse-proxy.md b/docs/nginx-reverse-proxy.md
@@ -1,6 +1,8 @@
 # NGINX Reverse proxy (OVH)
 
-At OVH and at Free we have a LXC container dedicated to reverse proxy http/https applications. It serves applications that are located in servers at the same provider (and same Proxmox cluster).
+At OVH and at Free we have a LXC container dedicated to reverse proxy http/https applications.
+
+It serves applications that are located in servers at the same provider (and same Proxmox cluster).
 
 ## Network specific interface
 

diff --git a/docs/producers_sftp.md b/docs/producers_sftp.md
@@ -4,10 +4,32 @@ We have a producer SFTP which is part of the producer platform.
 
 This sftp is used by producers who send files for regular automated updates of their products.
 
-The sftp is located on off1.openfoodfacts.org
+The sftp is located on the reverse proxy container (because it needs it's own network interface).
 
-The `/home/sftp` folder links to `/srv/sftp/` and contains home for sftp users.
+The sftp directory is a ZFS dataset in `zfs-hdd/off-pro/sftp`.
+It is mounted as `/mnt/off-pro/sftp`:
+* in the reverse proxy to give access to producers themselves (through sftp)
+* and in off-pro container to give access to files to the producers platform.
+
+In the reverse proxy container, the sftp is configured in /etc/ssh/sshd_config.d/sftp.conf which is a symlink to `confs/proxy-off/sshd_config/sftp.conf` in this repository.
+
+If a producer want's to connect with a key, put the public key in a file named `/mnt/off-pro/sftp/<username>_authorized_keys`.
 
 ## Adding a new sftp user
 
-Use the script [`add_sftp_user.pl`](../scripts/off1/add_sftp_user.pl) (present in `/home/script`) with user root.
+Use the script [`add_sftp_user.pl`](../scripts/off1/add_sftp_user.pl) (present in `script/off-proxy`) with user root in the reverse proxy container.
+
+**:fire: IMPORTANT :fire::** every user **must be in `sftponly` group** and only in this one.
+
+You may eventually communicate the server key fingerprint to the producer 
+(get it with `ssh-keyscan $(hostname) | ssh-keygen -lf -`)
+
+It's better to test access before sending the mail to the producer:
+
+```bash
+lftp sftp://[email protected]
+password:
+> ls
+```
+
+(issue at least an `ls` because `lftp` only try to connect at the first command)
diff --git a/scripts/off1/add_sftp_user.pl b/scripts/off1/add_sftp_user.pl