Name : sftp Category : service Type : docker Channel : community

Installs SFTP service for partners

Command

athena-services sftp

Infrastructure requirements

Preconditions

athena-infrastructure exchange

Postconditions

athena-infrastructure vpc

Service Requirements

Preconditions

athena-services common,consul

Postconditions

athena-services elbtcp

Parameters

Global SFTP configuration

Global default values

  • ssh_kex_algorithms - list (comma separated string) of KEX (Key Exchange) algorithms
  • ssh_ciphers - list (comma separated string) of allowed SSHv2 ciphers in order of preference
  • ssh_macs - list (comma separated string) of MAC (message authentication code) algorithms in order of preference
  • base_dir - base dir for data storage, availabale (mounted) locally. When to use: shared (e.g. NFS) data storage behind multiple SFTP nodes behind AWS Load Balancer.

For more information on ssh_* parameters please refer to following resources:

Example:

sftp_global_configuration:
#  ssh_kex_algorithms: "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org"
#  ssh_ciphers: "3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com"
#  ssh_macs: "hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com"
#  base_dir: /var/data/sftp-shared-nfs/

Multiple SFTP endpoints

  • sftp_partners - list of service endpoints

  • endpoint structure

    • Mandatory
      • name - unique service name
      • port - unique (instance wise) service port
      • uid - sftp service user UID
      • dirs - list of directories in sftp
      • ips - list of white-listed (allowed) ingress IPs
    • Optional
      • ssh_kex_algorithms - list (comma separated string) of KEX (Key Exchange) algorithms
      • ssh_ciphers - list (comma separated string) of allowed SSHv2 ciphers in order of preference
      • ssh_macs - list (comma separated string) of MAC (message authentication code) algorithms in order of preference

For more information on ssh_* parameters please refer to following resources:

Examples

Input parameters in environment specific group_vars

    # SFTP partner instances
    sftp_partners:
      -
        name: "-partner1"
        port: 30122
        uid: 30122
        dirs:
          - "share"
          - "upstream"
          - "downstream"
        ips:
          - "10.10.34.0/0"
          - "10.10.27.0/0"
      -
        name: "-partner2"
        port: 30123
        uid: 30123
        dirs:
          - "share"
          - "upstream"
          - "downstream"
        ips:
          - "0.0.0.0/0"
        ssh_kex_algorithms: "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org"
        ssh_ciphers: "3des-cbc,blowfish-cbc,cast128-cbc,arcfour,arcfour128,arcfour256,aes128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com"
        ssh_macs: "hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com"

Playbook in environment specific ‘services.yml’

    # Setup SFTP services (SFTP / Exchange boxes)
    - hosts: Exchange
      user: ""
      roles:
        -
          role: sftp
          tags:
            - sftp

    # Establish SFTP partner access.
    # (Puts SFTP services publicly available behind AWS Load Balancers) 
    - hosts: Bastion
      connection: local
      roles:
        -
          role: defaults
          tags:
            - elbtcp
            - sftp
        -
          role: elb-tcp
          ec2_subnet:
            - "ELBA"
            - "ELBB"
          elb_tcp_port: "22"
          elb_sg: "Exchange"
          tags:
            - elbtcp
            - sftp

License

Athena License, Copyright by Knowledgeprice