SSL and certs for SFTP

roofboard

Hi,

I am setting up some gitlab CI/CD and would like to ftp files onto my wordpress instance. Also I would like to secure with ssl... and certs. Is that possible with cloudron?

Here is the command I was looking at using, any ideas? What layers of security can and can't i have while performing sftp?

update_wpressapi:
  stage: update_wpressapi
  rules:
    - if: '$CI_MERGE_REQUEST_ID && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"'
    # && $CI_MERGE_REQUEST_APPROVALS_REQUIRED && $CI_MERGE_REQUEST_APPROVED'

  script:
    - apt-get install -y lftp
    - |
      lftp -e "set ftp:ssl-allow yes; set ftp:ssl-auth TLS; set \
      ftp:ssl-protect-data yes; \
      set ssl:key-file $FTP_SSL_KEY; \
      set ssl:cert-file $FTP_SSL_CERT; \
      cd /path/to/destination; \
      ls -R --max-depth=2; bye" -u \
      $FTP_USERNAME,$FTP_PASSWORD ftps://my.domain.com

    - lftp -e "set ftp:ssl-allow yes; \
      set ftp:ssl-auth TLS; \
      set ftp:ssl-protect-data yes; \
      set ssl:key-file $FTP_SSL_KEY; \
      set ssl:cert-file $FTP_SSL_CERT; \
      put base-plugin.zip -o /path/to/destination/base- 
      plugin.zip; bye" -u \
$FTP_USERNAME,$FTP_PASSWORD ftps://my.domain.com

msbt

@roofboard you can enable SFTP access in the Access Control tab of the app, where you can set operators that can use SFTP. Not sure why you'd need separate certs to do that.

nebulon

@roofboard Cloudron only runs an Sftp serfver, not ftpS

If the app data is exposed through ftp or not, is dependent on the app, however the wordpress package does support it.

Further info on the connection can be found at https://docs.cloudron.io/apps/#ftp-access

girish

@roofboard I guess your real question is how to automate this. We automate SFTP in testing like this - https://git.cloudron.io/cloudron/lamp-app/-/blob/master/test/test.js#L120

sshpass -p${process.env.PASSWORD} sftp -P 222 -o StrictHostKeyChecking=no -oHostKeyAlgorithms=+ssh-rsa -oBatchMode=no -b - ${process.env.USERNAME}@${app.fqdn}@${apiEndpoint}

girish

@roofboard also, if you want to use lftp , I think you have to use sftp://my.domain.com instead of ftps . IIRC, we had some trouble automating with lftp. This is why we use sftp command.

roofboard

@girish I tried this 7 ways from Sunday, then gave up and tried to just get access from the terminal. Every time I get permission denied.

Did the above command work for you?

I am trying to do this with a App Passwords
and just having no luck even when i hardcode the usernames and passwords.

girish

@roofboard You can try this on our demo. Password is cloudron.

$ sftp -P 222 cloudron@site.demo.cloudron.io@my.demo.cloudron.io 
cloudron@site.demo.cloudron.io@my.demo.cloudron.io's password: 
Connected to my.demo.cloudron.io.
sftp>

I also tested with app password (ee8431debcc35383) . Same command above works.

Can you test above? Hopefully, nobody deletes the app before you get to it.

girish

@girish said in SSL and certs for SFTP:

sftp -P 222 cloudron@site.demo.cloudron.io@my.demo.cloudron.io

Please note the double '@' . It's not a typo. The username contains an @ .

roofboard

@girish !!!! I would never have guessed that - I missed the fine print. "log in with your username" that changes everything thanks for clarifying.

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

Cloudron Forum

SSL and certs for SFTP