DEV Community

Cover image for Docker Compose - SFTP: Managing files securely
Alexandre Fernandes dos Santos
Alexandre Fernandes dos Santos

Posted on

Docker Compose - SFTP: Managing files securely

#docker #security #beginners #tooling

Good morning everyone! I hope this finds you well. Today I want to share with you almost a version 2.0 of my old article Docker Compose - Server FTP. This text was born from my desire to bring some security improvements and best practice tips.

Don't get me wrong, the previous text has its charm. If you want to spin up a basic and fast FTP server, that's your go-to.

Well, in case you don't know the SFTP protocol (Secure File Transfer Protocol or SSH File Transfer Protocol), it is a network file transfer protocol like FTP, but it uses SSH to encrypt commands and data (during transmission).

Who can, can; who can't, won't

I advise creating a directory with two subdirectories: one for files and another to persist credentials.

sftp
|-- files
|-- creds
Enter fullscreen mode Exit fullscreen mode

To avoid permission problems, we should guarantee the correct access rights to prevent issues when erasing or editing files created by the Docker container.

To do this, I advise finding out which user will be used and adding the directories to that user's group, as well as setting permissions via chmod.

Note: If the user who created the directories is the same one who will execute the docker container, this step might not be necessary, though it is recommended.
Enter fullscreen mode Exit fullscreen mode

For simplicity's sake, I'll assume that the user being used in the shell is the same one running Docker, so let's go!

1 - Discover the current user using whoami:

➜ whoami
alexandre
Enter fullscreen mode Exit fullscreen mode

2 - In my case, the user is alexandre. Now let's check the user's ID:

➜ id
uid=1000(alexandre) gid=1000(alexandre) grupos=1000(alexandre),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),100(users),116(lpadmin),987(docker)
Enter fullscreen mode Exit fullscreen mode

3 - Do you see the uid value preceding our username in parentheses? The value inside it is what we want. In my case, it's 1000. We'll need this when we create the users with access to SFTP.

4 - Add the necessary directories to the group using the chown command on the folder we are working in, with the user and group in the following format: user:group.

chown -R alexandre:alexandre ./sftp
Enter fullscreen mode Exit fullscreen mode

5 - Adding permissions: the creator of the file and the group can read, edit, and delete data, while others can only execute read operations (774).

chmod 774 -R ./sftp
Enter fullscreen mode Exit fullscreen mode

Creating the users file

The application we are using today allows users to be passed via a file. I think this method is easier to manage than via command line or env vars, so let's create this file.

Just create a file named users.conf and add the user information in the following format username:password:uid. I will explain each field:

  • username: Can be any username, including your current user (my case).
  • password: I will leave it blank because we'll use an SSH key to authenticate.
  • uid: The UID we got in the previous step (if you're in a hurry, try 1000 or 1001).

My users.conf content will look like this:

alexandre::1000
Enter fullscreen mode Exit fullscreen mode

Generating SSH keys

To generate the keys, I will use ssh-keygen, which usually comes installed on Ubuntu.

1 - Enter the creds directory inside /sftp.

2 - Use the command ssh-keygen -t rsa and type the filename. It can be any name; I used key.

3 - After that, it asks if you want to add a passphrase. It's optional. I usually don't set one, remembering that if added, it'll be requested upon every access.

After the Odyssey, Ulysses returns home

Now for the best part. Here is the docker compose of happiness:

services:
  sftp:
    image: atmoz/sftp
    restart: 'unless-stopped' 
    volumes:
        - ./files:/home/alexandre/upload                          # The files will be maintained here
        - ./creds/key.pub:/home/alexandre/.ssh/keys/key.pub:ro    # Sharing keys with the service
        - ./users.conf:/etc/sftp/users.conf:ro                    # Adding users
    ports:
        - 2222:22                                                 # The exposed port will be 2222
Enter fullscreen mode Exit fullscreen mode

And to spin it up, you just need to execute:

docker compose up -d
Enter fullscreen mode Exit fullscreen mode

How to connect

If you want a tip for a client to connect to your freshly created service, I recommend the classic FileZilla. See below how to use it:

1 - Open the Site Manager in the File tab:

file/site manager

2 - Follow the suggested config:

site manager/config

  • Protocol: SFTP
  • Host: localhost
  • Port: 2222 - Normally port 22 is used, but I redirected it to 2222 to avoid conflicts with other ports.
  • Logon Type: Key file
  • User: alexandre - Add the user from the users.conf file.
  • Key file: Use the private key (without .pub) we created in the step [Generating SSH keys].
  • Background color: It depends on your taste.

3 - Voilá! Now just enjoy making your dubious deployments or keeping your "green steam" files on your favorite SFTP (a father's and mother's love knows no bounds).

That's all, folks!

I hope this text is useful for you. It became a little longer than I expected, but I wanted to explain everything thoroughly (I hope I achieved that 😅).

However, if you have any questions, just leave a comment below and I'll be happy to answer them!

Top comments (0)