/sftp/store robot
Exports the input file to the specified server via SFTP.
Required parameters
| Name | Type | Default | Description |
|---|---|---|---|
| user | string | The user to use for the sftp connection. | |
| host | string | The host to connect to via sftp. |
Optional parameters
| Name | Type | Default | Description |
|---|---|---|---|
| use | String or array | The previous step |
Specifies which step to use as the input to this robot. The default is to use the previous step defined above the current one. A special step name is ":original", which "uses" the originally uploaded files.
You can also add arrays here to "use" several steps: "use": [":original", "encode2", "resizing3"]
See a demo for the "use" parameter here. |
| path | string | "${unique_prefix}/ ${file.url_name}" |
The path to use for storing the file. Make sure to also check the available assembly variables. |
| url_template | string | "http://host/path" |
The url to the file in the result json. See below for a list of supported assembly variables. |
Assembly Variables
You can use the same assembly variables as you can use for the /s3/store robot.
Installation on your server
The method we're going to use is slightly more elaborate than just handing out an SSH account with our public key authorized, but adds the security advantage that our user won't be able to traverse outside its home directory. Should the user ever be compromised, all that's accessible is the freshly uploaded files, and nothing more.
So here's how to create a dedicated user & group for Transloadit, and restrict access as based on this article.
First let's create a dedicated group & user:
TL_USER="random873"
TL_PUBLIC_PATH="uploads"
groupadd sftponly
useradd -g sftponly -m ${TL_USER}
#This line sets a random 20-char password for the user. We work with keys, but it's required cause some OSes will consider the account locked without one
echo "${TL_USER}:$(cat /dev/urandom | tr -dc _A-Z-a-z-0-9 | head -c20)" |chpasswd
mkdir -p /home/${TL_USER}/.ssh /home/${TL_USER}/${TL_PUBLIC_PATH}
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA57GdwNLqsWz03X8MBEe4KoMSY2HOURjnUUe9zeTivASI+BLEe3cZcuJjsEBaRpISvCH04hosWUI0H4BQeB1dZZUUW1s4ttnVohCD9CfNiXJ7pwJAvgWb01dTW4YUWFKUTpTeUwQzgcNVLDtSVaQOYh4lAKvCZEcz17X9iZ7AeSEuQKe+QsrcwQoBdSpQ6FnzKwSZsggK81dPiGIW9Cw2z/EZWJpl9QBTYhw25NbNRtZj3fXVbrejnQQ985eZ6TlrvQFpUVwyk0QNHDsN+7zVISM3eXNpxof+vJyQNDLN9tb8vNPf/HXuw7MDJWMphrQevF5V26aMzszl3ZeO1779Mw== sftp@transloadit.com" >> /home/${TL_USER}/.ssh/authorized_keys
chown -R ${TL_USER}.sftponly /home/${TL_USER}
chown root.root /home/${TL_USER}
chmod -R 600 /home/${TL_USER}/.ssh /home/${TL_USER}/${TL_PUBLIC_PATH}
chmod -R u+X /home/${TL_USER}/.ssh /home/${TL_USER}/${TL_PUBLIC_PATH}
Make sure to change ${TL_USER} and ${TL_PUBLIC_PATH} to your needs.
For security it's important to pick a random username.
Next let's setup ssh to cage SFTP users in their home directory and don't allow regular shell access.
Type nano /etc/ssh/sshd_config (or vim) then locate and comment this line:
# Subsystem sftp /usr/lib/openssh/sftp-server
At the bottom of the same file, add:
Subsystem sftp internal-sftp
Match group sftponly
ChrootDirectory /home/%u
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
Type /etc/init.d/ssh restart to make the changes active.
Demos
- Store the originally uploaded files on your server
- Encode a video, extract 8 thumbnails and store everything via SFTP
- Apply a watermark to an image and store this watermarked version and the original uploaded file