08. Role: Storage Server

08. Role: Storage Server (RustFS + SFTPGo)

Server ini menyediakan layanan penyimpanan objek (S3-compatible via RustFS) dan gateway akses (SFTP/FTP/HTTP via SFTPGo) dengan Caddy sebagai reverse proxy dan TLS terminator.

6.1 Instalasi Paket

6.1.1 Caddy (Reverse Proxy)

Gunakan repository resmi untuk mendapatkan versi terbaru.

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1G 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1G 'https://dl.cloudsmith.io/public/caddy/stable/debian.list' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update && sudo apt install -y caddy

6.1.2 SFTPGo

Instal dari repository resmi SFTPGo.

# Import public key
curl -sS https://download.sftpgo.com/apt/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/sftpgo-archive-keyring.gpg

# Tambahkan source list (Debian 13 Trixie)
echo "deb [signed-by=/usr/share/keyrings/sftpgo-archive-keyring.gpg] https://download.sftpgo.com/apt trixie main" | sudo tee /etc/apt/sources.list.d/sftpgo.list

# Instal SFTPGo
sudo apt update && sudo apt install -y sftpgo

6.1.3 RustFS

Download binary resmi dan pasang sebagai service systemd.

# Download binary
wget https://github.com/rustfs/rustfs/releases/latest/download/rustfs-linux-amd64 -O /usr/local/bin/rustfs
chmod +x /usr/local/bin/rustfs

# Buat user khusus
sudo adduser storage-user

Setup Systemd RustFS

Simpan di /etc/systemd/system/rustfs.service:

[Unit]
Description=RustFS Storage Service
After=network.target

[Service]
Type=simple
User=storage-user
WorkingDirectory=/home/storage-user
# Bind ke localhost karena akan di-proxy oleh Caddy
ExecStart=/usr/local/bin/rustfs serve --bind 127.0.0.1:9000 --config /etc/rustfs/config.toml
Restart=always

# Sandboxing
ProtectSystem=full
PrivateTmp=yes
NoNewPrivileges=yes

[Install]
WantedBy=multi-user.target

6.2 Konfigurasi Caddy (Reverse Proxy & SSL)

Lokasi file: /etc/caddy/Caddyfile

Caddy menangani SSL otomatis dan meneruskan trafik ke backend.

Template Konfigurasi:

storage.<YOUR_DOMAIN> {
    # Logging
    log {
        output file /var/log/caddy/storage_access.log
        format json
    }

    # Reverse Proxy ke RustFS (S3 API)
    reverse_proxy /s3/* 127.0.0.1:9000

    # Reverse Proxy ke Web Admin SFTPGo
    # Memungkinkan akses HTTPS tanpa konfigurasi SSL manual di SFTPGo
    reverse_proxy /admin/* 127.0.0.1:8080

    # Security headers
    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        Referrer-Policy "strict-origin-when-cross-origin"
        -Server
    }
}

6.3 Menggunakan Sertifikat Caddy untuk Layanan Lain

Beberapa layanan (seperti FTPS pada SFTPGo) memerlukan akses langsung ke file sertifikat. Caddy menyimpan sertifikat di /var/lib/caddy/.local/share/caddy/.

6.3.1 Izin Akses Sertifikat

Agar SFTPGo dapat membaca sertifikat Caddy:

# Tambahkan user sftpgo ke grup caddy
sudo usermod -aG caddy sftpgo

# Pastikan izin direktori memungkinkan grup membaca
sudo chmod g+rx /var/lib/caddy/.local/share/caddy

6.3.2 Konfigurasi SFTPGo (FTPS/WebDAV SSL)

Gunakan path sertifikat Caddy di /etc/sftpgo/sftpgo.json:

"ftpd": {
  "bindings": [
    {
      "port": 21,
      "enable_ftps": true,
      "certificate_file": "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/storage.<YOUR_DOMAIN>/storage.<YOUR_DOMAIN>.crt",
      "certificate_key_file": "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/storage.<YOUR_DOMAIN>/storage.<YOUR_DOMAIN>.key"
    }
  ]
}

6.4 Firewall Rules (UFW)

Akses layanan disesuaikan dengan klasifikasi jaringan.

# Public Services (0.0.0.0/0)
# HTTP/HTTPS (Caddy)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# FTP/S
sudo ufw allow 21/tcp
sudo ufw allow 20/tcp
sudo ufw allow 10000:10100/tcp # FTP Passive Ports

# Restricted Services (Campus Wide <YOUR_CAMPUS_SUBNET>)
# SFTP (SFTPGo)
sudo ufw allow from <YOUR_CAMPUS_SUBNET> to any port 2222 proto tcp

6.5 Integrasi CrowdSec

Kedua koleksi ini akan memantau log Caddy dan SFTPGo untuk mendeteksi brute-force atau aktivitas berbahaya.

sudo cscli collections install Azlaroc/sftpgo
sudo cscli collections install crowdsecurity/caddy

Catatan: Pemblokiran koneksi (remediasi) dilakukan secara otomatis pada tingkat firewall oleh crowdsec-firewall-bouncer-nftables (dikonfigurasi pada baseline), yang akan melindungi port 80, 443, 21, dan 2222.