• Stars
    star
    137
  • Rank 266,121 (Top 6 %)
  • Language
    Go
  • License
    MIT License
  • Created over 6 years ago
  • Updated almost 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An AWS S3 gateway proxying SFTP connections.

s3-sftp-proxy

s3-sftp-proxy is a tiny program that exposes the resources on your AWS S3 buckets through SFTP protocol.

Usage

Usage of s3-sftp-proxy:
  -bind string
        listen on addr:port
  -config string
        configuration file (default "s3-sftp-proxy.toml")
  -debug
        turn on debugging output
  • -bind

    Specifies the local address and port to listen on. This overrides the value of bind in the configuration file. If it is not present in the configuration file either, it defaults to :10022.

  • -config

    Specifies the path to the configuration file. It defaults to "./s3-sftp-config.toml" if not given.

  • -debug

    Turn on debug logging. The output will be more verbose.

Configuation

The configuration file is in TOML format. Refer to that page for the detailed explanation of the syntax.

Top level

host_key_file = "./host_key"
bind = "localhost:10022"
banner = """
Welcome to my SFTP server
"""
reader_lookback_buffer_size = 1048576
reader_min_chunk_size = 262144
lister_lookback_buffer_size = 100

# buckets and authantication settings follow...
  • host_key_file (required)

    Specifies the path to the host key file (private key).

    The host key can be generated with ssh-keygen command:

     ssh-keygen -f host_key
  • bind (optional, defaults to ":10022")

    Specifies the local address and port to listen on.

  • banner (optional, defaults to an empty string)

    A banner is a message text that will be sent to the client when the connection is esablished to the server prior to any authentication steps.

  • reader_lookback_buffer_size (optional, defaults to 1048576)

    Specifies the size of the buffer used to keep several amounts of data read from S3 for later access to it. The reason why such buffer is necessary is that SFTP protocol requires the data should be sent or retrieved on a random-access basis (i.e. each request contains an offset) while those coming from S3 is actually fetched in a streaming manner. In that we have to emulate block storage access for S3 objects, but chances are we don't need to hold the entire data with the reasonable SFTP clients.

  • reader_min_chunk_size (optional, defaults to 262144)

    Specifies the amount of data fetched from S3 at once. Increase the value when you experience quite a poor performance.

  • lister_lookback_buffer_size (optional, defalts to 100)

    Contrary to the people's expectation, SFTP also requires file listings to be retrieved in random-access as well.

  • buckets (required)

    buckets contains records for bucket declarations. See Bucket Settings for detail.

  • auth

    auth contains records for authenticator configurations. See Authenticator Settings for detail.

Bucket Settings

[buckets.test]
endpoint = "http://endpoint"
s3_force_path_style = true
disable_ssl = false
bucket = "BUCKET"
key_prefix = "PREFIX"
bucket_url = "s3://BUCKET/PREFIX"
profile = "profile"
region = "ap-northeast-1"
max_object_size = 65536
writable = false
readable = true
listable = true
auth = "test"
server_side_encryption = "kms"
sse_customer_key = ""
sse_kms_key_id = ""
keyboard_interactive_auth = false

[buckets.test.credentials]
aws_access_key_id = "aaa"
aws_secret_access_key = "bbb"
  • endpoint (optional) Specifies s3 endpoint (server) different from AWS.

  • s3_force_path_style (optional) This option should be set to true if ypu use endpount different from AWS.

    Set this to true to force the request to use path-style addressing, i.e., http://s3.amazonaws.com/BUCKET/KEY. By default, the S3 client will use virtual hosted bucket addressing when possible (http://BUCKET.s3.amazonaws.com/KEY).

  • disable_ssl (optional) Set this to true to disable SSL when sending requests.

  • bucket (required when bucket_url is unspecified)

    Specifies the bucket name.

  • key_prefix (required when bucket_url is unspecified)

    Specifies the prefix prepended to the file path sent from the client. The key string is derived as follows:

      `key` = `key_prefix` + `path`
    
  • bucket_url (required when bucket is unspecified)

    Specifies both the bucket name and prefix in the URL form. The URL's scheme must be s3, and the host part corresponds to bucket while the path part does to key_prefix. You may not specify bucket_url and either bucket or key_prefix at the same time.

  • profile (optional, defaults to the value of AWS_PROFILE unless credentials is specified)

    Specifies the credentials profile name.

  • region (optional, defaults to the value of AWS_REGION environment variable)

    Specifies the region of the endpoint.

  • credentials (optional)

    • credentials.aws_access_key_id (required)

      Specifies the AWS access key.

    • credentials.aws_secret_access_key (required)

      Specifies the AWS secret access key.

  • max_object_size (optional, defaults to unlimited)

    Specifies the maximum size of an object put to S3. This actually sets the size of the in-memory buffer used to hold the entire content sent from the client, as we have to calculate a MD5 sum for it before uploading there.

  • readable (optional, defaults to true)

    Specifies whether to allow the client to fetch objects from S3.

  • writable (optional, defaults to true)

    Specifies whether to allow the client to put objects to S3.

  • listable (optional, defaults to true)

    Specifies whether to allow the client to list objects in S3.

  • server_side_encryption (optional, defaults to "none")

    Specifies which server-side encryption scheme is applied to store the objects. Valid values are: "aes256" and "kms".

  • sse_customer_key (required when server_side_encryption is set to "aes256")

    Specifies the base64-encoded encryption key. As the cipher is AES256-CBC, the key must be 256-bits long (32 bytes)

  • sse_kms_key_id (required when server_side_encryption is est to "kms")

    Specifies the CMK ID used for the server-side encryption using KMS.

  • keyboard_interactive_auth (optional, defaults to false)

    Enables keyboard interactive authentication if set to true.

  • auth (required)

    Specifies the name of the authenticator.

Authenticator Settings

[auth.test]
type = "inplace"

# authenticator specific settings follow
  • type (required)

    Specifies the authenticator implementation type. Currently "inplace" is the only valid value.

  • users (required when type is "inplace")

    Contains user records as a dictionary.

In-place authenticator

In-place authenticator reads the credentials directly embedded in the configuration file. The user record looks like the following:

[auth.test]
type = "inplace"

[auth.test.users.user0]
password = "test"
public_keys = """
ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
"""

[auth.test.users.user1]
password = "test"
public_keys = """
ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ssh-rsa AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
"""

Or

[auth.test]
type = "inplace"

[auth.test.users]
user0 = { password="test", public_keys="..." }
user1 = { password="test", public_keys="..." }
  • (key) (appears as user0 or user1 in the above example)

    Specifies the name of the user.

  • password (optional)

    Specifies the password in a clear-text form.

  • public_keys (optional)

    Specifies the public keys authorized to use in authentication. Multiple keys can be specified by delimiting them by newlines.

More Repositories

1

ik

Go
125
star
2

devproxy

A swiss army knife of forward HTTP proxies
Go
84
star
3

boost.php

Create your PHP extension in C++, in a minute.
C++
70
star
4

cyrus-sasl-xoauth2

XOAUTH2 mechanism plugin for cyrus-sasl
C
66
star
5

pulsego

Go binding of PulseAudio
Go
53
star
6

kmyacc-forked

A fork of kmyacc, with some essential patches applied
C
49
star
7

libmbfl

A library for handling various encoding, used in PHP's mbstring extension
C
30
star
8

quercus-gae

Fork of Quercus/PHP
Java
24
star
9

gohex

Go
19
star
10

aalib.js

A JavaScript port of aalib
JavaScript
15
star
11

phjosh

Write your javascript in PHP!
PHP
15
star
12

php-Xlib

A X client library written entirely in PHP
PHP
12
star
13

routewrapper

Wrappers of OS-specific route table manipulation commands.
Go
12
star
14

mod_vim

C
11
star
15

go-fileid

Providing an unified way to identify files on the filesystem
Go
10
star
16

ngx_ymsr_module

R.I.P.
C
10
star
17

uguisudani

NoSQL server written in pure PHP
PHP
10
star
18

ftp-pasv-proxy

Mediates connections between an active-only FTP client (such as ftp.exe) and a server and allow it to transfer data passively.
Go
10
star
19

mbstring-ng

mbstring extension using ICU instead of libmbfl
C
9
star
20

boost.perl

Still a proof of concept...
C++
9
star
21

pyakb48

A port of Perl module Acme::AKB48 by Hideo Kimura
Python
8
star
22

go-ioextras

Extra IO concepts, structures, interfaces and functions for Go
Go
8
star
23

yamaha-rt-simulator

Go
8
star
24

PS-Start-ProcessAsUser

A Start-Process alternative which uses CreateProcessAsUser() for elevated execution of a child process.
C#
8
star
25

ebcdic-kana

Encoding codecs for various EBCDIC katakana extensions
Go
7
star
26

tableau

Tableau is a collection of helper classes for building test fixtures and seed data
Python
7
star
27

muppet

Muppet will be a lean server configuration management tool.
Python
6
star
28

pyramid_dogpile_cache

Pyramid dogpile.cache
Python
6
star
29

anypackbuilder

AnyPack Builder
JavaScript
5
star
30

mod_himote

himote is not ιžγƒ’γƒ†
C
5
star
31

JPKIPdfSigner

Apply a signature on a PDF document using Japanese Public Individual Certification (a.k.a. JPKI, ε…¬ηš„ε€‹δΊΊθͺθ¨Ό) Service
Java
5
star
32

mod_wozozo

mod_wozozo is an Apache module that dispatches incoming requests to Mozart2 VM.
C++
5
star
33

p5-php-embed

Play that funky script Perl boy.
C
5
star
34

inverse-tcp-tunnel

Inverse TCP tunnel (ITT) is a TCP proxy that tunnels multiple connections to a service that sits in another private network and not directly accessible from the outside, with the help of the client agent that resides where it can get to the service.
Go
5
star
35

mysql-udf-curl

cURL MySQL UDF (curl_fetch() and curl_esc())
C
4
star
36

wxgo

This will be a Go binding of wxWindow
4
star
37

xn--28ja4b7g8dc.jp

xn--28ja4b7g8dc
4
star
38

apr-json

JSON serializer / deserializer for use with Apache Portable Runtime (APR)
M4
4
star
39

NLog.Targets.Fluentd

Custom NLog target that emits log entries to a fluentd node
C#
4
star
40

pycdb

pycdb is yet another binding of CDB, a constant database implementation created by D. J. Bernstein.
C
3
star
41

freelance-kit

3
star
42

mysql-udf-libxml2

a set of *stateful* XML/HTML parsing UDFs
C
3
star
43

play-forked

play! framework forked
Python
3
star
44

mod_yudoufu

恩をAdaで返す
Ada
3
star
45

libairbrake

airbrake C client (using libcurl and libxml2)
C
3
star
46

textimgenc

Just a PoC
JavaScript
3
star
47

libmimetex

A fork of mimetex
C
3
star
48

go-net-snmp

A libsnmp wrapper
Go
2
star
49

php-oniguruma

Spin-out from mbstring module.
C
2
star
50

az-cloud-shell-access

Access to Azure Cloud Shell from within a Unix terminal
Go
2
star
51

irasutoya-py

Scrapes over www.irasutoya.com and fetchs information about illustrations provided there.
HTML
2
star
52

aws-iam-emulator

A tiny application that emulates a small set of AWS IAM API.
Go
2
star
53

go-coreaudio

Go binding of CoreAudio API (preliminary)
Go
2
star
54

i-am-tired-of-building-ffmpeg

I'm tired of building ffmpeg
Makefile
2
star
55

gopoint

gopoint
Go
2
star
56

mod_dynaconf

Allowing dynamic configuration of any per-dir directives with environment variables
C
2
star
57

lxmlmechanize

Python
1
star
58

blocking-fifo

Go
1
star
59

koshinade

C++
1
star
60

fluent-plugin-parser-logfmt

Logfmt parser plugin for fluentd 1.0 or later
Ruby
1
star
61

syslog-emu

Decent syslog(3) emulation that can be used to debug applications that rely on it
C
1
star
62

mod_authn_dbd_x

mod_authn_dbd with a different flavor.
C
1
star
63

cloudmap-proxy

A tiny network proxy written in Go that can resolve target address with AWS CloudMap service discovery service.
Go
1
star
64

docker-dev-mta-postfix

A simple MTA for development using Postfix
Python
1
star
65

pam-awsstssession-go

A PAM module that populates environment variables with temporary credentials retrieved from STS
Go
1
star
66

nss-awsiam-go

This is a glibc NSS (name server switch) module, which does the query against AWS IAM user and group registry.
Go
1
star
67

sandbox

Python
1
star
68

moriyoshi.github.io

HTML
1
star
69

obake

Obake is a frontend of some web browser implementations out there. (pre-alpha)
Python
1
star
70

pyOMGIDL

pyOMGIDL is an OMG IDL (Interface Definition Language) parser in Python
Python
1
star
71

simplefiletx

A (non-hurting) file protocol handler implementation for Go's net.http.
Go
1
star
72

ahodns

AhoDNS is a tiny and simple forward-lookup only DNS server written in Go using https://github.com/miekg/dns .
Go
1
star
73

mod_ymotongpoo

Bridal Apache Module
Go
1
star
74

mod_sotarok-mod_mikko

C
1
star
75

dotnetserde

dotnetserde is aiming to be a pure-Python serializer/deserializer of .NET remoting serialization format.
Python
1
star
76

icu4go

A Go wrapper of ICU4C (work in progress)
Go
1
star