Reverse proxy for multiple SFTP containers

Hi everybody,

this is my first post here and I just want to thank everbody here for Rancher! It’s such a great product with an awesome community :slight_smile:

So…I’ve designed a stack for a web application which consists of 3 containers:

  • Database
  • Apache/PHP/CMS
  • SFTP-Server with proftpd

The sftp container and the webserver are sharing a volume, so a developer/user can access the data.
In the future we’re planning to have 1000+ stacks like this.

How do I give SIMPLE access to the sftp containers? My idea is, that you give a hostname for every sftp container and do some service discovery and automatic config like this

I do something like this already with an nginx reverse proxy and confd for the webservers. So basically I need a domain based reverse proxy for SSH/SFTP. Apparently it is impossible to achieve this because of this:

It’s okay when I have to change my design a little bit if somebody knows how to solve this. The only requirements I have are:

  • SFTP should be on port 22 and I have to use SFTP (!)
  • Access should be based on a unified hostname ( for every stack

Is anybody familiar with ? Something like this but for sftp.

I thought about using a single sftp-container for my whole environment that has all volumes mounted, but that seems like a bad idea to me and you’re losing the ability to take the whole stack an run it somewhere else (maybe even without rancher).

Thanks in advance!

Just quickly off the top of my head, I don’t see why a simple SSHD daemon wouldn’t work, as long as you’re prepared to instruct your users to setup tunnelling using a simple entry in their SSH config files. I’m basing this on the assumption that the HostName directive value that must be specified in that file is resolved by the host being connected to, not the client - this may be a deal breaker if I’m wrong.

There’s also the alternative of using unique port numbers.

Thanks for your reply.

I already considered using a SSH client config and a jumphost configuration, but than you wouldn’t be able to update that configuration automatically and you always need to have that specific config for everybody. The config should happen completely on the server side, if possible.

Unique port numbers are no option.

My thinking was that you would if the target HostName specified in the client config file is resolved by the jumphost, not the client. The client always connects to the jumphost, the jumphost resolves the Hostname directive value sent through (via Rancher DNS) and forwards the traffic appropriately.

Yes, I understand your idea. But it’s no flexible enough for me. I can’t tie my infrastructure to SSH clients. It should work out of the box.
Besides there are many SSH clients and many platforms they run on. Most of our developers are working with PhpStorm (it has a built in SSH client), some use WinSCP etc.

My latest idea would be to use proftpd virtualhosts and change the way I work with volumes.

Fair enough, it’s a tricky use case. Please do post back if you succeed, I’d be interested in the solution. Cheers

We use to achieve something like this. It can proxy SSH connections on to containers/hosts based on the username presented. Unsure if it’ll work for SFTP, but SCP should work.

Could be interesting too…

Anyone found a working reverse proxy solution for (s)ftp / ftps / scp?

Best solution at the moment could be with docker-gen (build a single file and split it by a -notify script)…