Documentation

HTTP web service

An http authentication method asks a remote HTTP server to authenticate an account and provide the account's configuration.

Note

This authentication method can't be used with the Web Manager services.

To get more details about the request format and the expected result, see the dedicated HTTP authentication protocol documentation.

name

Default value:

''

Optional:

Yes

From version:

2.10.0

Values:

  • Any text.

Description:

Human-readable short text used to identify this method.

description

Default value:

''

Optional:

Yes

From version:

2.10.0

Values:

  • Any text.

Description:

Human-readable text that describes the purpose of this authentication method.

type

Default value:

''

Optional:

No

From version:

2.10.0

Values:

  • application - Application accounts.

  • os - Accounts authenticated by the OS.

  • http - HTTP (unsecured).

  • ip-time-ban - Ban an IP address for a time interval.

  • deny-username - Deny authentication based on usernames.

  • anonymous - Anonymous account authentication.

  • ldap - Authenticate against an LDAP server.

  • local-file - Authenticate the accounts from a separate local file.

  • radius - Authenticate via a RADIUS server.

  • entra-id - Microsoft Entra ID

  • google-identity - Google Identity

Description:

This option specifies the type of the method. Each type has a set of specific configuration options

url

Default value:

''

Optional:

No

Values:

  • URL

  • Comma separated list of URLs (Since 3.51.0)

From version:

2.10.0

Description:

Full URL of a resource used to authenticate an account.

You can define a fall-back/redundant URL using a comma separates list of URLs. The first URL from the list will be used. When failing to get a response for the first URL, the remaining URLs are tried. Since 3.51.0.

timeout

Default value:

120

Optional:

Yes

Values:

  • Number of seconds.

From version:

4.13.0

Description:

Duration, in seconds, to wait for a response from the HTTP server.

If a response is not received during this period, the authentication fails.

username

Default value:

''

Optional:

yes

From version:

3.30.0

Values:

  • Text.

Description:

Username used to authenticate to the remote HTTP server.

Leave this value empty in order to leave out HTTP Basic authentication.

This will overwrite any custom Authorization header set via the headers configuration option.

Warning

For now, only HTTP Basic authentication is supported. This will send the username and password in clear text (BASE64 encoded).

password

Default value:

''

Optional:

Yes

From version:

3.30.0

Values:

  • Plain text password.

  • Empty.

Description:

Password associated with the configured username.

headers

Default value:

''

Optional:

Yes

From version:

4.4.0

Values:

  • Header-Name: Header-Value

  • Multiple headers on separate lines

Description:

This defines a set of extra headers which are sent with each HTTP request.

test_at_start

Default value:

Yes

Optional:

Yes

From version:

4.5.0

Values:

  • Yes

  • No

Description:

When set to Yes it will check at startup that the configured URL can be reached and fail to start if the URL is not available to respond to authentication requests.

proxy

Default value:

''

Optional:

Yes

Values:

  • URI like expression.

  • connect://12.342.421.2:3128

  • disabled (since 5.14.0)

From version:

3.20.0

Description:

This configuration adds the proxy used to connect to the final URL.

For now, only the HTTP/1.1 CONNECT tunneling proxy method is supported.

Leave it empty to use the general proxy configuration.

Set to disable to disable using a proxy.

ssl_certificate_authority

Default value:

set-on-first-connection

Optional:

Yes

Values:

  • PEM content of a CA chain (Since 3.40.0)

  • PEM content of a pinned public key (Since 5.1.0)

  • Absolute path to a local file

  • set-on-first-connection (Since 5.0.0)

  • pin-public-key (Since 5.1.0)

  • ${MOZILLA_CA_ROOTS} (Since 5.0.0)

  • ${GOOGLE_CA_ROOTS} (Since 5.11.0)

  • ${DIGICERT_CA_ROOTS} (Since 5.12.0)

  • ${LETS_ENCRYPT_X3_CA}

  • ${MICROSOFT_IT_CA}

  • ${GO_DADDY_G2_G1}

  • disable-identity-security (Since 5.0.0)

From version:

1.6.0

Description:

This is used to validate the identity of the remote server.

Remote server identity can only be validated when the remote address or URL is configured using a fully-qualified domain name. IP-based validation would always fail as this is not a method accepted by Certificate Authorities (CAs).

Configured certificates need to be in PEM format.

Multiple Certificate Authorities can be configured, one after the other. They can be multiple root CAs or intermediate CAs.

Warning

When disable-identity-security is set, the identity of the remote server is not validated. All remote servers are accepted without validating their TLS/SSL certificates. Communication is encrypted and data is protected in transit. This can result in an encrypted connection to an unknown server.

When set-on-first-connection is used, the Certificate Authority of the remote server is configured automatically. The set-on-first-connection configuration value is automatically replaced by the actual CA chain of the remove server on the very first connection. For all subsequent connections, the server identity is validated against the automatically configured CA chain.

When pin-public-key is set, SFTPPlus accepts server certificates that have the same public key as the one discovered during the first connection to this server. This is used to implement certificate and public key pinning. SFTPPlus only pins the public key. This can be used for self-signed server certificates.

You can configure the client to validate the server's identity based on a fixed list of public keys. In this way, you can implement public key pinning. When public key validation is used, the public key infrastructure (PKI) certificate policies are not enforced. For example, the server certificate is accepted even if it's expired or issued for a different hostname.

This can be defined as an absolute path on the local filesystem to a file containing the certificates of the Certificate Authorities used to validate the remote peer.

A series of bundle CAs are distributed with SFTPPlus. They can be configured together and mixed with other CA certificates. The bundle CAs are available under the following names:

  • ${MOZILLA_CA_ROOTS} - All the root certification authorities accepted by the Mozilla's CA Certificate Program

  • ${GOOGLE_CA_ROOTS} - All the root certification authorities handled by Google Trust Services

  • ${LETS_ENCRYPT_X3_CA} - For Let's Encrypt X3 certificate authority.

  • ${MICROSOFT_IT_CA} - For all Microsoft IT CA certificates.

  • ${DIGICERT_CA_ROOTS} - For all Digicert CA certificates. used by SharePoint Online and other services provided by Microsoft.

  • ${GO_DADDY_G2_G1} - For all GoDaddy Certificate Bundles, G2 With Cross to G1.

Only servers using certificates signed by one of the configured Certificate Authorities are allowed to communicate with this client.

Leave it empty to disable checking the identity of the remote server.

ssl_domains

Default value:

Empty

Optional:

Yes

Values:

  • Fully qualified domain name (FQDN)

  • Comma separated list of fully qualified domain names

  • Empty

From version:

3.42.0 This configuration option defines the domain for which SFTPPlus will request certificates from the Let's Encrypt server.

The same domain can be shared by multiple services.

The domain name is handled as a case-insensitive lower case value.

You can generate a certificate with multiple domain names (Subject Alternative Name - SAN), by defining a comma-separated list of domain names. The first name from the list is used as the common name of the certificate, while the remaining names are used for the SAN extension.

For this option to be used, you need to define a lets-encrypt resource.

tls_private_certificate

Default value:

Empty

Optional:

Yes

Values:

  • UUID of a private-certificates vault item.

  • Empty

From version:

5.20.0

Description:

The private key and certificate to be used by this component for TLS communication.

This certificate is sent to the remote peer during the SSL/TLS handshake process.

When left empty, the default certificate is used.

ssl_certificate_revocation_list

Default value:

Empty

Optional:

Yes

Values:

  • Comma separated list of CRL paths or HTTP URLs.

  • crl-distribution-points

  • ${MICROSOFT_IT_CRL}

  • Empty

From version:

1.6.0

Description:

It defines the locations from where one or more CRLs will be loaded.

Multiple CRLs are defined as a comma separated list.

It supports local files with absolute paths, in either of the following formats:

  • file:///unix/absolute/test-ca.crl

  • file://c:\\windows\\absolute\\test-ca.crl

Retrieving the CRL over HTTP is also supported. The HTTP request is done using non-persistent HTTP/1.1 connections. The URL will look as follows:

  • http://example.com/some.crl

CRL distribution points (CDP) are supported by using the crl-distribution-points configuration value.

When CRL distribution points are configured, the local certificate defined at ssl_certificate needs to have the CDP extension. The CDP advertised in the local certificate is loaded at startup in order to validate the configuration.

The distribution points configuration is mutually exclusive with local file or HTTP url configurations. When the certificate revocation list is configured to use CDP, all other configured CRL location are ignored.

Warning

HTTP redirection is not yet supported for CRL URLs. You have to configure the exact URL for the CRL.

Leave it empty to disable certificate revocation checks.

The certificate revocation list can only be used when the component is configured with CA certificates stored in a single file in PEM format.

When multiple or chained CA certificates are configured the CRL is only checked for the peer's certificate and not for the CA certificate or for an intermediate CA.

Warning

CDP publishing Delta CRL are not supported.

Note

If the certificate defines multiple HTTP-based distribution points in the CDP extension, only the first HTTP URI is used. All non HTTP or the other HTTP URIs are ignored.

The CRL file should be stored in PEM or DER format.

Note

This option is ignored if ssl_certificate_authority is not enabled.

ssl_certificate_revocation_list_refresh

Default value:

0

Optional:

Yes

Values:

  • Number of seconds

  • 0

From version:

2.8.0

Description:

This defined the number of seconds after which a configured CRL is reloaded by this component.

When set to 0, the CRL file is initially loaded at startup and then loaded again after the Next Update field advertised in the CRL.

If the Next Publish extension is present in the CRL and this option is set to 0, the CRL will be loaded again at the date and time specified in the Next Publish extension.

If the CRL does not advertise the Next Update field you will have to configure a number of seconds after which the CRL should be reloaded, otherwise you will get a configuration error.

For example, a value of 86400 means that the CRL will be re-read after one day.

For more details about the CRL reloading see the documentation for CRL reloading rules

Note

This option is ignored if ssl_certificate_authority is not enabled.

ssl_cipher_list

Default value:

secure

Optional:

Yes

Values:

  • List of SSL/TLS ciphers in OpenSSL format.

  • secure

From version:

1.7.4

Description:

This defined the list of ciphers accepted by this component while communicating over the network.

The special keyword secure contains all the algorithms that we currently consider secure.

Connections are closed if the remote peer has no common cipher in its list of configured ciphers.

When left empty, it will default to the secure configuration.

More information about the accepted values can be found at the cryptography guide

The format for this value is the same as the one used for defining the OpenSSL cipher list. More information can be found on the OpenSSL site.

ssl_allowed_methods

Default value:

secure

Optional:

Yes

Values:

  • secure

  • all

  • tlsv1.0

  • tlsv1.1

  • tlsv1.2

  • tlsv1.3

From version:

1.7.4

Description:

This defines the comma-separated list of SSL and TLS methods that are accepted by this component during the secure communication handshake.

Set this to secure to allow only the TLS methods that are currently considered secure. For now, this is TLS 1.2 and TLS 1.3 but this might be changed in the future. Any other configured value is ignored.

Set this to all to allow any supported SSL or TLS method. Any other configured value is ignored.

Currently, the following methods are officially supported:

  • tlsv1 or tlsv1.0, which is TLS 1.0.

  • tlsv1.1, which is TLS 1.1.

  • tlsv1.2, which is TLS 1.2.

  • tlsv1.3, which is TLS 1.3.

Note

SSLv3 is still supported, but highly discouraged, due to the SSLv3 POODLE vulnerability. In the case that you need to interact with an old SSL implementation that only supports SSLv3, it is highly recommended to force the usage of the non-CBC cipher RC4-SHA by configuring as:

[services/681f5f5d-0502-4ebb-90d5-5d5c549fac6b]
ssl_cipher_list = RC4-SHA

Support for SSLv3 will be removed in future versions.

SSLv2 is no longer supported since it is not secure.

In version 2.8.0, the following new methods were added: tlsv1.0 (alias for tlsv1), tlsv1.1 and tlsv1.2

Support for tlsv1.3 was added in version 3.47.0.

Prior to version 4.17.0, this was configured as a space separated value.

Operating system / Domain users
External local file