Home Linux Administration How To Setup SFTP Server With SFTPGo In Linux

How To Setup SFTP Server With SFTPGo In Linux

Install And Configure SFTP Server Using SFTPGo In Linux

By sk
Published: Updated: 18.4K views

This detailed guide explains what is SFTPGo, how to install SFTPGo in various Linux distributions, and finally how to setup a SFTP server with SFTPGo in Linux.

What is SFTPGo?

SFTPGo is a fully featured and highly configurable SFTP server that allows you to easily and securely share files over SFTP and optionally HTTP/S, FTP/S and WebDAV.

Using SFTPGo, we can setup a robust SFTP server in Linux within a few minutes. We can configure SFTPGo with many backend storage providers including local filesystem, encrypted local filesystem, S3 (compatible) Object Storage, Google Cloud Storage, Azure Blob Storage, and SFTP.

SFTPGo is completely free, opensource and written in Go programming language. The source code is available in GitHub.

SFTPGo is a cross-platform application. It supports Linux, Windows, macOS and FreeBSD. It should work on other *BSD variants too.

SFTPGo Features

SFTPGo ships with lots of features. Here are some important features:

  • SFTPGo is very easy to install and configure.
  • Supports several storage backends such as local filesystem, encrypted filesystem, S3 Compatible Object Storage, Google Cloud Storage, Azure Blob Storage or other SFTP accounts over SFTP/SCP/FTP/WebDAV.
  • Supports virtual folders. You can set different quota limits for each user.
  • Different data providers such as SQLite, MySQL, PostgreSQL, CockroachDB, Bolt etc., are supported.
  • Configure chroot isolation for local users.
  • Restrict cloud-based user accounts to a certain base path.
  • Configure per-user or per-directory permissions.
  • Allow or deny users to upload, download, rename, modify and remove files.
  • Supports both Public key and password authentication. Multiple public keys per-user are also supported.
  • Data at rest encryption.
  • Multi-factor authentication.
  • Bandwidth throttling and per-user rate limiting.
  • Restrict login to a specific range of IP addresses or to a specific IP address.
  • Automatically close idle connections.
  • Automatically block hosts (IP addresses) on multiple failed login attempts.
  • Prevent DoS and brute force password guessing.
  • Allow/deny connections based on the the geographical location of the clients' IP addresses.
  • Support for Git repositories over SSH.
  • SCP, Rsync, FTP/S, HTTP/S and WebDAV are supported.
  • Configure TLS certificates for HTTPS, WebDAV and FTPS from Let's Encrypt. It also automatically renews the certificates.
  • Configure per-user protocols restrictions.
  • Import local system user accounts.
  • Web-based administration interface to create, manage users, folders and connections.
  • Allow users to change their credentials, manage and share their files in the browser via web client interface.
  • Completely free and Opensource.

Install SFTPGo in Linux

SFTPGo is packaged for popular Linux distributions. Navigate to the respective section to know how to install SFTPGo in your preferred Linux distribution.

Install SFTPGo in Arch Linux

In Arch Linux and its variants like EndeavourOS and Manjaro Linux, you can install SFTPGo from AUR using Paru or Yay:

$ paru -S sftpgo

Or,

$ yay -S sftpgo

Install SFTPGo in Debian

In Debian 10 and 11, add the SFTPGo APT repository and install SFTPGo as shown below.

Make sure you've installed gnupg on your Debian system:

$ sudo apt install gnupg

Next, import the Public GPG key:

$ curl -sS https://ftp.osuosl.org/pub/sftpgo/apt/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/sftpgo-archive-keyring.gpg

Add the SFTPGo Apt repository to sources.list file:

$ CODENAME=`lsb_release -c -s`
$ echo "deb [signed-by=/usr/share/keyrings/sftpgo-archive-keyring.gpg] https://ftp.osuosl.org/pub/sftpgo/apt ${CODENAME} main" | sudo tee /etc/apt/sources.list.d/sftpgo.list

Reload the repository lists and install SFTPGo in Debian using the following commands:

$ sudo apt update
$ sudo apt install sftpgo

Install SFTPGo in Fedora, RHEL, CentOS, AlmaLinux and Rocky Linux

Add SFTPGo repository:

$ ARCH=`uname -m`
$ curl -sS https://ftp.osuosl.org/pub/sftpgo/yum/${ARCH}/sftpgo.repo | sudo tee /etc/yum.repos.d/sftpgo.repo

Update repository lists and install SFTPGo in RPM-based systems using commands:

$ sudo dnf update
$ sudo dnf install sftpgo

After install SFTPGo, start sftpgo service and enable it to start automatically at system boot:

$ sudo systemctl start sftpgo
$ sudo systemctl enable sftpgo

Install SFTPGo in Ubuntu

Add SFTPGo PPA in your Ubuntu and its derivatives such as Pop OS, Linux Mint and Elementary OS:

$ sudo add-apt-repository ppa:sftpgo/sftpgo

Update repository lists:

$ sudo apt update

And install SFTPGo in Ubuntu and its derivatives using command:

$ sudo apt install sftpgo

Install SFTPGo in Void Linux

SFTPGo is available in the default repositories of Void Linux.

To install SFTPGo in Void Linux, run:

$ xbps-install -S
$ xbps-install sftpgo

SFTPGo is also available as Docker image, available in AWS, Azure and Elestio platforms.

Create Admin Account

Before start using SFTPGo, you should create an admin account. To do so, navigate to http://localhost:8080/web/admin or http://IP-address:8080/web/admin URL from your web browser.

Enter a username for the admin account and password for the same. Click "Create admin" button to continue.

Create SFTPGo Admin User
Create SFTPGo Admin User

After the admin account is created, you will be automatically logged in. This is how SFTPGo admin dashboard looks like.

SFTPGo Admin Dashboard
SFTPGo Admin Dashboard

From now on, you can access the SFTPGo Web admin dashboard from this URL - http://127.0.0.1:8080/web/admin or http://IP-Address:8080/web/admin.

The default configuration enables the SFTP service on port 2022 and uses an embedded data provider (SQLite or bolt based on the target OS and architecture). In my case, the default data provider is SQLite.

You can view the active services from the Status page from the left pane.

SFTPGo Status Page
SFTPGo Status Page

By default, the FTP server and WebDAV services are disabled.

Create New Users

To create a new user, click on the Users button on the left pane and then click the + (Plus) sign.

Create New User in SFTPGo Dashboard
Create New User in SFTPGo Dashboard

Enter the username, password or public key for the new user and click Submit.

Add a New User
Add a New User

Only username, password or public key are required to create a new sftp user. You can also add more details to the users and assign permissions to the users.

Scroll down a bit in the creating new user section, you will see the following tabs:

  • Profile - In this tab, you can
    • set status of the user i.e. active or inactive,
    • set expiration date to the user,
    • provide, Email and a description to the user.
  • ACLs - In this tab, you can
    • add per-directory permissions for the users,
    • deny protocols (E.g. SSH, FTP, WebDAV and HTTP),
    • deny login methods (E.g. Public key, password)
    • set two-factor authentication for selected protocols,
    • disable Webclient/Rest API,
    • allow and deny login from specific IP addresses.
  • Disk quota and bandwidth limits - In this tab, we can
    • set quota size in MB or GB. 0 (zero) means no limit.
    • maximum file upload size,
    • bandwidth download and upload limit,
    • per-source bandwidth speed limits,
    • upload and download data transfer rate,
    • per-source data transfer limits.
  • More - In this tab, we can
    • set an alternate start directory to use instead of "/". Supported for SFTP/FTP/HTTP.
    • TLS username,
    • FTP security,
    • default expiration for newly created shares as number of days,
    • mark users as anonymous,
    • disable filesystem checks,
    • allow API key authentication.

In the above example, we have created users with local filesystem as storage backend. You can also create users with local encrypted backend, a Cloud Storage backend such as Amazon S3, Azure Blog, Google Cloud, or another SFTP server as storage backend.

To create users with any one of the aforementioned storage backend, simply choose the relevant storage under the Filesystem tab.

For instance, to create users with local encrypted backend (Data At Rest Encryption), choose "Local encrypted" from Storage drop-down box. You should enter the Passphrase for the encryption.

Create Users with Local Encrypted Backend
Create Users with Local Encrypted Backend

Similarly, you can choose other backends such as AWS S3, Google Cloud Storage, Azure Blob Storage, SFTP, and HTTP etc.

Choose SFTPGo Storage Backend
Choose SFTPGo Storage Backend

For more details, look at the official documentation page linked at the end.

Access Web Client

After creating all users, they can access their files and shares from the WebClient interface available at this URL http://127.0.0.1:8080/web/client or http://IP-address:8080/web/client.

Enter the username and password and click Login button.

Access SFTPGo Web Client
Access SFTPGo Web Client

This is how web client interface looks like:

SFTPGo Web Client Dashboard
SFTPGo Web Client Dashboard

From this Web client dashboard, each user can browse and download their files, share files with external users, change their credentials and configure two-factor authentication.

Upload, Download Files and Folders

We can upload or download files and directories from commandline or SFTPGo web client or using any third-party SFTP client application. First, we will see the commandline way.

Test Users via Commandline

L:et me connect to the SFTP server from Terminal:

$ sftp -P 2022 user1@192.168.1.37

Here,

  • -P 2022 - SFTP port number.
  • user1@192.168.1.37 - SFTP server username and its IP address.

Enter the password of user1 to connect to the sftp server. After the user is connected, you will see the sftp prompt.

user1@192.168.1.37's password: 
Connected to 192.168.1.37.
sftp> 

You can check the contents of the current working directory using ls command:

sftp> ls

Let us upload some files in SFTP server. I am going to upload a file called file1.txt.

sftp> put file1.txt 
Uploading file1.txt to /file1.txt
file1.txt    

Let us check if file1.txt is uploaded.

sftp> ls
file1.txt  

Yes, the file is uploaded. Let us create a directory and then cd into it and upload a file in it.

sftp> mkdir dir1
sftp> cd dir1/
sftp> put file1.txt 
Uploading file1.txt to /dir1/file1.txt
file1.txt                                                                                                       100%    0     0.0KB/s   00:00    
sftp> 
Test Sftp Users
Test Sftp Users

As you can see, the user can download, upload files and create directories in our SFTP server.

Now let us test sftp users via SFTPGo web client.

Test Users via SFTPGo Web Client

Open SFTPGo web client by navigating to the URL http://127.0.0.1:8080/web/client or http://IP-address:8080/web/client.

Enter the user credentials and click Login. After logging to the web client, click "My Files" tab on the left pane. You will see the existing files or directories. Click the "Upload Files" button.

Click Upload Files Button
Click Upload Files Button

Choose the files to upload from your local file system. You can also drag and drop files in the web client interface. After choosing the files, click "Submit" button.

Choose Files to Upload
Choose Files to Upload

After uploading the files, you can view them under the My Files section.

View Files in My Files Section
View Files in My Files Section

Similarly, you can create a new folder and upload stuffs in it. To create a new folder, click the "Add Directory" button (the Plus sign).

Click Add Directory Button
Click Add Directory Button

Enter a name for the directory and click Submit button.

Enter Directory Name
Enter Directory Name

After the directory is created, just click on the directory to open it and upload the files of your choice in it as shown earlier.

To download a file or folder, select it and click the "Download" button. The selected items will be zipped and downloaded in your local system.

Download Files and Folders
Download Files and Folders

You can also share the items to other users or delete them if they are no longer required.

View and Manage Shares

Click the "Shares" tab on the left pane. On the right hand side, you will see the list of available shares.

Add New Share
Add New Share

Enter a name for the new share, enter the file or directory path. And then choose the permission (Read-only or Read/Write). If you want to more than one share, click the "Add a path" button and add the path of the file or directory.

You can also set a password for the share, expiration date, define allowed IP to access the shares, and description for the share. Finally click Submit button.

Enter New Share Details
Enter New Share Details

Set Per Directory Virtual Permissions

SFTPGo supports per-directory virtual permissions. For each user you have to specify global permissions and then override them on a per-directory basis as shown in the following screenshot.

Open SFTPGo Admin WebUI. Select an User and click Edit button.

Edit User
Edit User

Go to the ACLs tab and add directories with different permissions. I have added two directories namely /read_only_dir and share1 for User1. I have selected list and download permissions for read_only_dir and no permissions for the share1 directory. Click Submit to update the settings.

Set Per-Directory Permissions
Set Per-Directory Permissions

As per the above permissions, the user1,

  • Can list the contents of read_only_dir but can't upload the files in them. He also can't delete the existing files. He can only list and download the contents from this directory.
  • Can't access the folder share1.

Let us test it. Log in as user1 via sftp and run the following commands:

$ sftp -P 2022 user1@192.168.1.37
user1@192.168.1.37's password: 
Connected to 192.168.1.37.
sftp> 
sftp> ls
dir1            dir2            file1.txt       file2.txt       read_only_dir   share1          
sftp> 
sftp> cd read_only_dir/
sftp> ls
file3.txt  
sftp> 
sftp> get file3.txt 
Fetching /read_only_dir/file3.txt to file3.txt
sftp> 
sftp> rm file3.txt 
Removing /read_only_dir/file3.txt
Couldn't delete file: Permission denied
sftp> 
sftp> put file4.txt 
Uploading file4.txt to /read_only_dir/file4.txt
remote open("/read_only_dir/file4.txt"): Permission denied
sftp> 
sftp> cd ..
sftp> 
sftp> cd share1/
Couldn't canonicalize: Permission denied
sftp> 
sftp> 

As you see in the above output, the user1 can only list and download the files from read_only_dir directory. But he can't delete existing files or upload any new files. He can also access the share1 directory.

Enable FTP and WebDAV services

I strongly recommend you to always use SFTP over FTP. However, if you want to use FTP or WebDAV services for any reason, enable them only within your trusted local area network. By default, FTP and WebDAV services are disabled.

To enable FTP service, create an environment variable file for FTP at /etc/sftpgo/env.d/ftpd.env with the following content:

SFTPGO_FTPD__BINDINGS__0__PORT=2121

Restart SFTPGo service to apply the changes.

$ sudo systemctl restart sftpgo

The FTP service is now available on port 2121.

Similarly, create an environment variable file for WebDAV at /etc/sftpgo/env.d/webdavd.env with the following content.

SFTPGO_WEBDAVD__BINDINGS__0__PORT=10080

Restart SFTPGo to apply the changes. The WebDAV service is now available on port 10080.

It is recommended to provide a certificate and key file to expose FTP and WebDAV over TLS.

Conclusion

I have been using SFTPGo in my Fedora 37 Workstation edition for a few days now. I don't have any issues during my testing period. SFTPGo works just fine out of the box. If you're looking for an easy way to setup a SFTP server in Linux or macOS or Windows platforms, SFTPGo is a recommended choice.

If you find SFTPGo useful and use it in production, I recommend you to support the project in any way you can. For more details, check project's sponsors page.

Resources:

You May Also Like

7 comments

Nicola Murino December 7, 2022 - 2:36 pm

SFTPGo author here, great article very accurate, thanks

Reply
Ali October 31, 2023 - 5:05 pm

My sftpgo is beind nginx reverse proxy. I want to have client remote IP address. I cannot figure out how to do that.

Reply
sk October 31, 2023 - 5:35 pm

Please elaborate your question, so we can help.

Reply
Ali October 31, 2023 - 6:35 pm

I have Nginx Proxy Manager as reverse proxy. It plays role as internet-facing gate. So every incoming traffic must goes through this NPM.
My sftpgo server is behind the NPM. Now I want to see which remote client (from Internet) goes through NPM and makes request on sftpgo server. If I know, I would be able to block all attempts (client remote IP addresses) which are not trusted.

Reply
sk November 1, 2023 - 12:16 pm

Hello,

I tried NPM a long time ago, and have a very little knowledge in NPM configuration setup. But I will try my best to answer your question. The following may be inaccurate because I don’t have any current setup with NPM.

1. Access the Nginx Proxy Manager web interface.
2. Go to the proxy host configuration that forwards traffic to your SFTPGo server.
3. In the “Edit Proxy Host” or similar section, look for an option to enable access logs or customize the Nginx configuration.
4. Add the following lines to the Nginx configuration, which will log the client IP addresses:

log_format custom_log '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
access_log /var/log/nginx/access.log custom_log;

5. Save your changes and apply the configuration.

Now, to Monitor Access Logs, do the following:

1. Access the server where Nginx Proxy Manager is running.
2. Open the access log file you specified (in this example, it’s `/var/log/nginx/access.log`) using a text editor or a tool like `tail` to view real-time updates:

tail -f /var/log/nginx/access.log

This will display the incoming requests to your SFTPGo server, including the client IP addresses.

Again, the options may vary in the recent NPM version, so please adapt/adjust the steps accordingly. Good luck!

Reply
Ali November 1, 2023 - 3:37 pm

Thank you for very nice and detailed response.

The thing is, I can get client IPs on Nginx.
What I want is, to catch client IP on my SFTPgo server.

sk November 1, 2023 - 5:43 pm

I don’t understand what you meant by “Catch client IP”. If you meant logging client IP address, please follow the steps and see if it works.

1. Edit your SFTPGo configuration file. This can typically be found at /etc/sftpgo/sftpgo.yaml or another location depending on your setup.

2. Find the section related to HTTP headers or proxy settings in the SFTPGo configuration file.

3. Add or modify the configuration to capture the client IP address from the X-Real-IP or X-Forwarded-For headers. Below is an example configuration snippet:

# Example SFTPGo configuration for capturing client IP address from Nginx Proxy Manager
http_server:
address: :8080
proxy_protocol: false # Set this to true if you're using the PROXY protocol

# Headers configuration to capture client IP
real_ip_header: X-Real-IP # Use X-Real-IP header
real_ip_recursive: false # Set this to true if your proxy chain includes multiple proxies

Make sure to adjust the real_ip_header and real_ip_recursive settings based on your specific setup and the headers used by Nginx Proxy Manager. The X-Real-IP header is a common choice, but you can use X-Forwarded-For if that’s what NPM is using.

4. Save the configuration file. Restart the SFTPGo service to apply the changes.

5. After making these changes, SFTPGo should log the client IP addresses from the headers added by Nginx Proxy Manager in its own logs. You can review the logs in your SFTPGo server to see the client IP addresses.

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. By using this site, we will assume that you're OK with it. Accept Read More