ftp协议设计之初,分为了主动工作模式和被动工作模式,这两种工作模式一个是需要在服务器端随机开一个端口,让客户端连接这个新开的端口进行数据传输,一个是在ftp客户端随机开一个端口供服务器端主动连过来进行通讯,不管是哪一种对于有防火墙或者nat代理的网络都是极其不友好的,而且ftp通讯协议可以被wireshark等抓包工具轻易的抓出来登录ftp的用户名和密码,属于很不安全的一种通讯协议。

   sftp协议基于tcp协议,只需要一个tcp端口即可完成全部的数据传输工作,对防火墙友好,通讯过程加密,不会被人轻易发现sftp的登录账户和密码信息,很适合作为ftp的替代品。

   sftpgo使用golang开发,可以跨多个硬件平台,x86/arm/mips都能用,windows/linux操作系统都支持,部署的时候也很方便,特别是linux下面,不需要有一大堆依赖需要安装,在一些不能联网的企业内部网络中进行部署较为方便。

   下面以windows平台为例说明sftpgo的配置使用过程:

1. 软件的获取

     github里面release里面最新版本的windows安装程序,下载后复制到服务器内。

2.安装

    闭着眼睛下一步下一步就行。

3.配置

   windows平台的sftpgo软件,特别是安装版本的,会默认安装一个sftpgo的系统服务,通过查看该服务,可以发现该服务会去 C:\ProgramData\SFTPGo这个目录里面去找配置参数文件,默认情况下 C:\ProgramData\这个路径在windows资源管理器里面是不显示的,直接复制这个地址到资源管理器地址栏去访问就可以打开了。

   打开 C:\ProgramData\SFTPGo目录后,里面有一个sftpgo.json文件,该配置文件的内容如下:

{
  "common": {
    "idle_timeout": 15,
    "upload_mode": 0,
    "actions": {
      "execute_on": [],
      "hook": ""
    },
    "setstat_mode": 0,
    "proxy_protocol": 0,
    "proxy_allowed": [],
    "post_connect_hook": "",
    "max_total_connections": 0,
    "defender": {
      "enabled": false,
      "ban_time": 30,
      "ban_time_increment": 50,
      "threshold": 15,
      "score_invalid": 2,
      "score_valid": 1,
      "observation_time": 30,
      "entries_soft_limit": 100,
      "entries_hard_limit": 150,
      "safelist_file": "",
      "blocklist_file": ""
    }
  },
  "sftpd": {
    "bindings": [
      {
        "port": 2022,
        "address": "",
        "apply_proxy_config": true
      }
    ],
    "max_auth_tries": 0,
    "banner": "",
    "host_keys": [],
    "kex_algorithms": [],
    "ciphers": [],
    "macs": [],
    "trusted_user_ca_keys": [],
    "login_banner_file": "",
    "enabled_ssh_commands": [
      "md5sum",
      "sha1sum",
      "cd",
      "pwd",
      "scp"
    ],
    "keyboard_interactive_auth_hook": "",
    "password_authentication": true
  },
  "ftpd": {
    "bindings": [
      {
        "port": 0,
        "address": "",
        "apply_proxy_config": true,
        "tls_mode": 0,
        "force_passive_ip": "",
        "client_auth_type": 0,
        "tls_cipher_suites": []
      }
    ],
    "banner": "",
    "banner_file": "",
    "active_transfers_port_non_20": true,
    "passive_port_range": {
      "start": 50000,
      "end": 50100
    },
    "disable_active_mode": false,
    "enable_site": false,
    "hash_support": 0,
    "combine_support": 0,
    "certificate_file": "",
    "certificate_key_file": "",
    "ca_certificates": [],
    "ca_revocation_lists": []
  },
  "webdavd": {
    "bindings": [
      {
        "port": 0,
        "address": "",
        "enable_https": false,
        "client_auth_type": 0,
        "tls_cipher_suites": []
      }
    ],
    "certificate_file": "",
    "certificate_key_file": "",
    "ca_certificates": [],
    "ca_revocation_lists": [],
    "cors": {
      "enabled": false,
      "allowed_origins": [],
      "allowed_methods": [],
      "allowed_headers": [],
      "exposed_headers": [],
      "allow_credentials": false,
      "max_age": 0
    },
    "cache": {
      "users": {
        "expiration_time": 0,
        "max_size": 50
      },
      "mime_types": {
        "enabled": true,
        "max_size": 1000
      }
    }
  },
  "data_provider": {
    "driver": "sqlite",
    "name": "sftpgo.db",
    "host": "",
    "port": 0,
    "username": "",
    "password": "",
    "sslmode": 0,
    "connection_string": "",
    "sql_tables_prefix": "",
    "track_quota": 2,
    "pool_size": 0,
    "users_base_dir": "",
    "actions": {
      "execute_on": [],
      "hook": ""
    },
    "external_auth_hook": "",
    "external_auth_scope": 0,
    "credentials_path": "credentials",
    "prefer_database_credentials": false,
    "pre_login_hook": "",
    "post_login_hook": "",
    "post_login_scope": 0,
    "check_password_hook": "",
    "check_password_scope": 0,
    "password_hashing": {
      "argon2_options": {
        "memory": 65536,
        "iterations": 1,
        "parallelism": 2
      }
    },
    "update_mode": 0,
    "skip_natural_keys_validation": false
  },
  "httpd": {
    "bindings": [
      {
        "port": 8098,
        "address": "0.0.0.0",
        "enable_web_admin": true,
        "enable_https": false,
        "client_auth_type": 0,
        "tls_cipher_suites": []
      }
    ],
    "templates_path": "templates",
    "static_files_path": "static",
    "backups_path": "backups",
    "certificate_file": "",
    "certificate_key_file": "",
    "ca_certificates": [],
    "ca_revocation_lists": []
  },
  "telemetry": {
    "bind_port": 10000,
    "bind_address": "127.0.0.1",
    "enable_profiler": false,
    "auth_user_file": "",
    "certificate_file": "",
    "certificate_key_file": "",
    "tls_cipher_suites": []
  },
  "http": {
    "timeout": 20,
    "retry_wait_min": 2,
    "retry_wait_max": 30,
    "retry_max": 3,
    "ca_certificates": [],
    "certificates": [],
    "skip_tls_verify": false
  },
  "kms": {
    "secrets": {
      "url": "",
      "master_key_path": ""
    }
  }
}

默认情况下,sftpgo会在tcp的2022端口进行监听,需要改端口的话去修改2022端口,默认情况下,web管理后台只会在127.0.0.1的8080端口进行监听,想让任意IP都可以访问,可以修改httpd-bindings下面的配置参数,改成0.0.0.0就可以从本机以外的IP访问了,不过这样配置不太安全,建议通过web配置完以后还是改回去127.0.0.1。

4.web 管理后台

sftpgo在windows平台的配置使用_用户名

输入用户名和密码登录管理后台

登录以后第一件事先去把管理员密码改掉,admins-edit admin,之后就是建立新用户,如下图:

sftpgo在windows平台的配置使用_sftpgo_02

用户建好以后可以用winscp 进行测试,特别是有防火墙的地方,端口一开效果非常的好啊。