Case Studies
These examples and step by step procedures are means to help users understand advanced functionality that CrushFTP provides. These are more advanced topics not meant for the average scenario.
Running CrushFTP in the DMZ and proxying connections to an internal server.
Some organizations will not allow direct connections from the outside world through their firewall to their CrushFTP server. In these cases, you can run a CrushFTP server in the DMZ which handles connections, and it then makes requests on behalf of the user to the internal server. This prevents users having direct access to the internal server, and can off-load encryption on the DMZ server. You can also use the ReverseSocket plugin in this scenario to have the internal server always make outgoing connections to the DMZ server so that no incoming firewall access needs to be allowed. The internal server doesn't have to be a CrushFTP server either. You could use this type of method to provide secure protocols over another server such as the IIS FTP daemon, or other existing legacy servers. [Guide]
Using LDAP to handle user authentication.
CrushFTP has an included plugin called CrushLDAPGroup. This plugin allows you to configure an LDAP server to handle authentication of CrushFTP users. You can then have the plugin operate in three different authentication modes.
- The plugin makes a virtual user, and assigns it access to the homeDirectory field in the LDAP tree. This user doesn't exist in the user manager, but loads its settings from a template style user in the user manager.
- The plugin makes a virtual user, and assigns it access to a new folder created in a specified path that has the same name as the user logging in. This user doesn't exist in the user manager, but loads its settings from a template style user in the user manager
- The plugin accepts the user's credentials, then forwards the connection to the user manager to find a matching user there. If found, it then assigns the specified virtual file system to the user, and any other settings configured. Its only authentication that is being done in the plugin.
The plugin can also limit access to users who are found in a list of specified roles, and are part of the search base location. As with all plugins, you can create multiple LDAP configurations, and they will be searched in order until a plugin configuration matches the user. This allows you to configure a primary LDAP and backup LDAP configuration. You can also enter two URLs on one plugin, separating each of the full URLs with a comma.
Enforcing file at rest security using PGP keys.
The CrushFTP user manager allows you to configure PGP encryption / decryption settings on any folder item a user has access to. This configuration can operate in dual mode, both removing encryption, and adding encryption on a single incoming, or outgoing file transfer. The ideal scenario for this might be applying a specific encryption key on files being delivered to the HR folder. When a user uploads to that folder, you could have your own global company private key stripping the encryption off the file the user is sending that they encrypted using your company's public key. Then at the same time the files are being encrypted with the HR departments public key. No one can then access those files unless they have the private key. HR employees downloading the files would use their own PGP software to remove the encryption on the files. This ensures that no one else could have viewed or tampered with the file in any way. So users are sending data to your company encrypted using your public key, and you are stripping that and writing the data to specific folders using another departments key.
Setting up an always on bandwidth acceleration proxy in the cloud.
You can configure an always on CrushTunnel configuration that
can be running on a cloud server. This can be a Linux VM
running in Amazon's cloud, or a Virtual Private Server with
DigitalOcean, etc. Below is an example command to start up the
tunnel, allowing you to them have a static IP that will have
all data tunneled through it. An ideal scenario for this is
for users who have geographically diverse users. You could
have an European CrushTUnnel running that has the DNS name
eruope.domain.com, and a us one that has us.domain.com while
you are running your server in Australia. Users in the US
would access your server with the appropriate domain name, and
they would be directed through the CrushTunnel. Any uploads or
downloads they do would now run at full bandwidth speed.
java -cp CrushTunnel.jar com.crushftp.tunnel2.Tunnel2
protocol=https host=crushftp.com port=443 username=demo
password=demo
At launch, CrushTunnel will get the tunnel for the specified
account, and listen for connections on the port configured in
the tunnel. It will remain running indefinitely processing
connections.
Setting up a Virtual Private Server (VPS) in the cloud.
If you don't have a lot of bandwidth, or machines you can leave always running, it might make sense to run CrushFTP in a VM hosted somewhere else. I've provided a guide stepping through the details of configuring a headless Linux server to run CrushFTP and managing it. [Guide]
Configuring CrushTask.
The CrushTask plugin allows for very straight forward operations (moving uploaded files to another folder) and very complex operations. Here are a couple possible scenarios that could be of benefit.
- Write a text file with the custom upload forms contents, and file names uploaded by the user.
- Copy this text file, and all the files uploaded to a secondary backup SFTP server #1 multithreaded.
- Copy this text file, and all the files uploaded to a secondary backup SFTP server #2 multithreaded.
- Copy this text file, and all the files uploaded to a secondary backup SFTP server #3 multithreaded.
- Wait for the prior copy operations to complete, then continue processing.
- POST a HTTP message to a WebApplication server informing it of the files uploaded, and some of the custom form elements.
- Send an email notification to the user thanking them for the uploads, and confirming the custom form data received.
- Encrypting the original files using PGP encryption.
- Zipping the PGP encrypted file.
- Moving the zipped file to an archive folder.
Setting up an automated email monitor that grabs attachments from new emails.
Enterprise users have the option of scheduling jobs to run at specified intervals. A good use for this could be running a CrushTask sequence of items. Have CrushTask use a UsersList task item to go through a list of usernames. Then have it call the PopImap task item and use the user's email address, and their configured IMAP settings to connect to the IMAP server to find messages matching the configuration. This could be messages that have a certain subject, or attachments with a certain name or size. These files can then be saved off, and added to the user's virtual file system. As an added bonus you could then have the next task item send a notification email to the user confirming the arrival of these newly found files.
- UsersList task to find all your users, and call the PopImap task item below repeatedly for each user found.
- Jump to end of tasks and stop.
- PopImap task item to find unread emails for the user, grabbing emails with a subject containing 'auto' and attachments ending with '.txt'.
- Send an email to the user letting them know we downloaded some attachments.
- Jump to end of tasks and stop.
- Wait task item for zero seconds ('end of tasks')
CrushFTP is an extremely powerful, easy to use solution that runs on almost everything: macOS 10.9+/11/12+, Win2012+, Linux, Solaris, BSD, Unix, etc! Any OS that can run Java 8 at a minimum can run CrushFTP.