A server on the Internet has to connect on a server on our internal network through SFTP (the OpenSSH port 22 one) to download/upload some files but we are following a best practice that says that this can not be possible.
All flows coming from the Internet must be "relayed" by a server in DMZ, for example HTTP is reverse proxified through Apache mod_proxy, SMTP with postfix etc... I am looking for a solution that may apply to SFTP.
My main constraint is that the SFTP client can't be configured to use a SOCKS proxy, so I have eliminated danted and other SOCKS servers from my list.
I have found a solution with SSH tunnelling : ssh localhost -L proxy_ip:2222:server_ip:22, some sshd_config tuning and some thing like autossh.
I have also looked at nginx but TCP loadbalancing is not free.
redir is OK but hasn't any security option.
I may look at haproxy but it seems really complicated for my need.
Anyone got an idea about this ?
[link] [comments]