SFTPGo is an open-source SFTP server that supports SFTP, FTP/S, and WebDAV with a web-based admin interface, S3-compatible storage backends, and authentication through SSH keys, passwords, and external identity providers. It provides protocol support, storage integration, user management, and domain configuration equivalent to AWS Transfer Family on your own infrastructure.

This article explains how to deploy SFTPGo as a self-hosted alternative to AWS Transfer Family using Docker Compose with Traefik for automatic HTTPS. It covers user authentication with SSH keys and passwords, storage backend configuration with local filesystem and S3-compatible object storage, multi-protocol access (SFTP, FTP/S, WebDAV), event notifications, and migration from AWS Transfer Family.

Prerequisites

Before you begin, you need to:

• Have access to a Linux-based server as a non-root user with sudo privileges.
• Install Docker and Docker Compose.
• Create a DNS A record pointing to your server's IP address (for example, sftp.example.com).
• (Optional) Provision an S3-compatible object storage bucket for cloud storage backends.

Understanding SFTPGo Architecture

The following table maps AWS Transfer Family components to their SFTPGo equivalents:

AWS Transfer Family	SFTPGo Equivalent	Description
SFTP Endpoint	SFTPGo SFTP Server	Accepts SFTP connections on a configurable port (default: 2022).
Transfer Family Users	SFTPGo User Management	Create and manage users via the web interface or REST API.
S3 Storage Integration	S3-Compatible Backend	Connect to any S3-compatible storage service.
AWS Management Console	Web Admin Interface	Browser-based dashboard for configuration and monitoring.
IAM/Identity Providers	Authentication Methods	SSH keys, passwords, LDAP, and external HTTP authentication.
Custom Hostname	Custom Domain	Configure a custom domain with TLS certificates.
CloudWatch Logs	Event Logging	Built-in logging with webhook and external integrations.
Per-user Bandwidth	Bandwidth Throttling	Configure upload and download limits per user.

SFTPGo runs as a single binary or Docker container that handles all protocols and administrative functions. The architecture includes:

• Protocol Handlers: Separate listeners for SFTP (port 2022), FTP/S (port 2121), and WebDAV (port 10080).
• Web Admin Interface: Management dashboard accessible on port 8080.
• Data Provider: SQLite (default), MySQL, or PostgreSQL database for user and configuration storage.
• Storage Backends: Local filesystem, S3-compatible storage (including Vultr Object Storage), Azure Blob, or Google Cloud Storage.

Deploy SFTPGo with Docker Compose

Docker Compose orchestrates the SFTPGo and Traefik containers, defines persistent storage volumes, and manages networking between services.

1. Create the project directory with subdirectories for data and configuration persistence.

   console Copy

   $ mkdir -p ~/sftpgo/{data,config}
   

   Explain Code

2. Navigate to the project directory.

   console Copy

   $ cd ~/sftpgo
   

   Explain Code

3. Create the .env file to store the domain and Let's Encrypt email used by Traefik.

   console Copy

   $ nano .env
   

   Explain Code

4. Add the following variables. Replace sftp.example.com with your domain and admin@example.com with your email address.

   ini Copy

   DOMAIN=sftp.example.com
   LETSENCRYPT_EMAIL=admin@example.com
   

   Explain Code

   Save and close the file.

5. Create the Docker Compose configuration file.

   console Copy

   $ nano docker-compose.yml
   

   Explain Code

6. Add the following configuration:

   yaml Copy

   services:
     traefik:
       image: traefik:v3.6
       container_name: traefik
       command:
         - "--providers.docker=true"
         - "--providers.docker.exposedbydefault=false"
         - "--entrypoints.web.address=:80"
         - "--entrypoints.websecure.address=:443"
         - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
         - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
         - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
         - "--certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_EMAIL}"
         - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
       ports:
         - "80:80"
         - "443:443"
       volumes:
         - "./letsencrypt:/letsencrypt"
         - "/var/run/docker.sock:/var/run/docker.sock:ro"
       restart: unless-stopped
   
     sftpgo:
       image: drakkan/sftpgo:v2.6
       container_name: sftpgo
       restart: unless-stopped
       ports:
         - "2022:2022"
         - "2121:2121"
         - "10080:10080"
       environment:
         - SFTPGO_HTTPD__BINDINGS__0__PORT=8080
         - SFTPGO_HTTPD__BINDINGS__0__ADDRESS=0.0.0.0
         - SFTPGO_SFTPD__BINDINGS__0__PORT=2022
         - SFTPGO_FTPD__BINDINGS__0__PORT=2121
         - SFTPGO_WEBDAVD__BINDINGS__0__PORT=10080
         - SFTPGO_DATA_PROVIDER__DRIVER=sqlite
         - SFTPGO_DATA_PROVIDER__NAME=/var/lib/sftpgo/sftpgo.db
       volumes:
         - ./data:/srv/sftpgo
         - ./config:/var/lib/sftpgo
       labels:
         - "traefik.enable=true"
         - "traefik.http.routers.sftpgo.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.sftpgo.entrypoints=websecure"
         - "traefik.http.routers.sftpgo.tls.certresolver=letsencrypt"
         - "traefik.http.services.sftpgo.loadbalancer.server.port=8080"
       healthcheck:
         test: ["CMD", "sftpgo", "ping", "-c", "/var/lib/sftpgo"]
         interval: 30s
         timeout: 10s
         retries: 3
   

   Explain Code

   Save and close the file.

   The configuration exposes:

   • Port 80, 443: Traefik HTTP/HTTPS entry points for the web admin interface.
   • Port 2022: SFTP protocol connections.
   • Port 2121: FTP/S protocol connections.
   • Port 10080: WebDAV protocol connections.

   Traefik routes the web admin interface (internal port 8080) through HTTPS on the configured domain using Let's Encrypt certificates.

7. Start the SFTPGo and Traefik containers.

   console Copy

   $ docker compose up -d
   

   Explain Code

8. Verify the container is running.

   console Copy

   $ docker compose ps
   

   Explain Code

   The output displays two running containers: SFTPGo and Traefik with Traefik listening on ports 80 and 443.

9. Check the service logs for any errors.

   console Copy

   $ docker compose logs
   

   Explain Code

   For more information on managing a Docker Compose stack, see the How To Use Docker Compose article.

Configure SFTPGo Server

The web administration interface provides initial setup and ongoing configuration management.

1. Open a web browser and navigate to the SFTPGo admin interface at https://sftp.example.com/web/admin, replacing sftp.example.com with your configured domain.

   

2. Create the administrator account on first access:

   • Enter a username (for example, admin).
   • Set a strong password.
   • Confirm the password in the Confirm password field.
   • Click Create admin and Sign in.

3. After the first login, SFTPGo redirects to the two-factor authentication setup page. Select Default and click Enable.

4. Scan the QR code with your authenticator app.

5. Enter the verification code to confirm setup.

6. Save the recovery codes in a secure location.

Enable SFTPGo Defender

The SFTPGo Defender protects against brute-force login attempts by tracking failed logins and automatically banning offending IP addresses. The Defender is disabled by default and must be enabled through environment variables.

1. Open the Docker Compose file.

   console Copy

   $ nano ~/sftpgo/docker-compose.yml
   

   Explain Code

2. Add the following environment variables under the sftpgo service environment: block:

   yaml Copy

   - SFTPGO_COMMON__DEFENDER__ENABLED=true
   - SFTPGO_COMMON__DEFENDER__DRIVER=memory
   - SFTPGO_COMMON__DEFENDER__BAN_TIME=30
   - SFTPGO_COMMON__DEFENDER__THRESHOLD=15
   - SFTPGO_COMMON__DEFENDER__SCORE_INVALID=2
   - SFTPGO_COMMON__DEFENDER__SCORE_VALID=1
   

   Explain Code

   Save and close the file.

   These variables configure:

   • DEFENDER__ENABLED: Activates the brute-force protection.
   • DEFENDER__DRIVER: Stores defender events in memory (use provider for database-backed persistence).
   • DEFENDER__BAN_TIME: Ban duration in minutes.
   • DEFENDER__THRESHOLD: Score threshold that triggers a ban.
   • DEFENDER__SCORE_INVALID: Score added for invalid login attempts.
   • DEFENDER__SCORE_VALID: Score added for valid logins.

3. Redeploy the SFTPGo container to apply the changes.

   console Copy

   $ docker compose up -d
   

   Explain Code

4. Log back in to the admin portal and navigate to IP Manager in the left sidebar. The IP Manager provides two options:

   • IP Lists: Manage and add trusted IP addresses to the Defender allow list.
   • Auto Block List: View all IP addresses automatically blocked by the Defender.

Set Up User Authentication

SFTPGo supports multiple authentication methods including passwords, SSH public keys, and multi-factor authentication. Create users that mirror your AWS Transfer Family user configuration.

Create an SFTP User with Password Authentication

Password authentication uses a username and password pair stored in the SFTPGo data provider. Each user has an isolated root directory on the local filesystem.

1. Navigate to Users in the left sidebar.

2. Click Add to create a new user.

   

3. Configure the user account:

   • Username: Enter the SFTP username.
   • Password: Set a strong password.
   • Under Profile, set Status to Active.

4. Under File system, keep Local disk selected for local storage.

5. Set the Root directory to /srv/sftpgo/USERNAME, replacing USERNAME with the SFTP username configured in the previous step.

6. Click Save to create the user.

Configure SSH Key Authentication

SSH key authentication enables passwordless logins using cryptographic key pairs, matching the key-based authentication model used by AWS Transfer Family.

1. Generate an SSH key pair on the client machine (if not already available).

   console Copy

   $ ssh-keygen -t ed25519 -f ~/.ssh/sftpgo_key -C "sftp-user"
   

   Explain Code

   When prompted for a passphrase, press Enter twice to create the key without a passphrase for passwordless authentication.

2. Display and copy the public key content.

   console Copy

   $ cat ~/.ssh/sftpgo_key.pub
   

   Explain Code

3. In the SFTPGo web interface, navigate to Users, click Actions next to the target user, and select Edit.

4. Scroll to the Public keys section.

5. Paste the entire public key string into the text field.

6. Click Save.

7. Test SSH key authentication from the client. Replace USERNAME with the SFTPGo username and sftp.example.com with your configured domain.

   console Copy

   $ sftp -i ~/.ssh/sftpgo_key -P 2022 USERNAME@sftp.example.com
   

   Explain Code

8. Type exit to close the SFTP session.

   console Copy

   sftp> exit
   

   Explain Code

Enable Multi-Factor Authentication

Multi-Factor Authentication (MFA) requires users to provide a Time-based One-Time Password (TOTP) code in addition to their primary credentials when accessing protected protocols.

1. Navigate to Users, click Actions next to the target user, and select Edit.

2. Expand the ACLs section and locate Require 2FA for.

3. Select the protocols for which 2FA is required.

4. Click Save.

   The user must configure their authenticator app on next login via the WebClient portal.

Configure Storage Backends

SFTPGo supports multiple storage backends including local filesystem, S3-compatible object storage, Azure Blob, Google Cloud Storage, and SFTP. Each user can have a different backend, allowing you to mix local storage and cloud object storage in the same deployment.

Configure Local Filesystem Storage

Local filesystem is the default storage type for SFTPGo users. Each user requires an explicit root directory path on the host, which maps to a directory inside the mounted /srv/sftpgo volume in the container.

1. Navigate to Users, click Actions next to the target user, and select Edit.

2. Under File system, verify Local disk is selected in the Storage dropdown.

3. Set the Root directory to a path such as /srv/sftpgo/USERNAME or any custom path you want. Replace USERNAME with the SFTP username.

4. Click Save.

Configure S3-Compatible Object Storage

Connect SFTPGo to any S3-compatible storage service such as MinIO or Vultr Object Storage.

1. Retrieve your S3-compatible storage credentials from your provider:

   • Hostname/Endpoint (for example, ewr1.vultrobjects.com).
   • Access Key.
   • Secret Key.
   • Bucket Name.

2. Navigate to Users, click Actions next to the target user, and select Edit.

3. Under File system, select S3 (Compatible) from the Storage dropdown.

   

4. Configure the S3 backend settings:

   • Bucket: Enter your bucket name.
   • Region: Enter the region code (for example, ewr1).
   • Access Key: Enter your access key.
   • Access Secret: Enter your secret key.
   • Endpoint: Enter the full endpoint URL (for example, https://ewr1.vultrobjects.com).
   • Key Prefix: Optionally specify a folder prefix to isolate user data.

5. Configure the upload settings:

   • Enable Use path-style addressing for S3-compatible storage endpoints.
   • Set Upload Part Size (MB) to 5 (minimum for multipart uploads).
   • Set Upload Concurrency to 2.

6. Click Save.

7. Create a test file on the client machine.

   console Copy

   $ echo "Hello SFTPGo" > testfile.txt
   

   Explain Code

8. Connect via SFTP to test the configuration. Replace USERNAME with your SFTPGo username and sftp.example.com with your configured domain.

   console Copy

   $ sftp -P 2022 USERNAME@sftp.example.com
   

   Explain Code

9. Upload the test file.

   console Copy

   sftp> put testfile.txt
   

   Explain Code

10. Verify the file appears in the bucket.

    console Copy

    sftp> ls
    

    Explain Code

11. Type exit to close the SFTP session.

    console Copy

    sftp> exit
    

    Explain Code

S3 Backend Limitations

S3-compatible storage has some limitations compared to local filesystem:

• Resume uploads are disabled by default.
• Symbolic links are not supported.
• Directory rename operations are not atomic.
• chmod and chown operations are silently ignored.

Enable Additional Protocols

SFTPGo runs SFTP on port 2022 by default, but it also supports FTP with TLS (FTP/S) and WebDAV for legacy clients and HTTP-based file access. Enabling these protocols extends SFTPGo to match the protocol coverage of AWS Transfer Family, which supports SFTP, FTP/S, and FTP. Each protocol uses its own listener port and shares the same user accounts, authentication backends, and storage configuration.

Set Up Access Controls and Quotas

SFTPGo supports per-user quotas, bandwidth throttling, IP-based restrictions, and directory-level permissions that map directly to AWS Transfer Family's access control features. Each setting applies independently and can be combined to enforce strict resource boundaries.

Configure User Quotas

User quotas restrict how much storage and how many files a user can store.

1. Navigate to Users, click Actions next to the target user, and select Edit.

2. Expand the Disk quota and bandwidth limits section and configure:

   • Quota size: Maximum storage allowed for the user. Set 0 for no limit. The field accepts size suffixes such as MB, GB, or TB.
   • Quota files: Maximum number of files (for example, 10000).

3. Click Save.

Configure Bandwidth Limits

Bandwidth limits cap the maximum upload and download speed for a user.

1. Navigate to Users, click Actions next to the target user, and select Edit.

2. Expand the Disk quota and bandwidth limits section and set:

   • Bandwidth UL (KB/s): Maximum upload speed (for example, 5120 for 5 MB/s).
   • Bandwidth DL (KB/s): Maximum download speed.

3. Click Save.

Configure IP Restrictions

IP restrictions limit which IP addresses or CIDR ranges can connect with a given user account.

1. Navigate to Users, click Actions next to the target user, and select Edit.

2. Expand the ACLs section and locate Allowed IP/Mask.

3. Add allowed IP addresses or CIDR ranges:

   text Copy

   192.168.1.0/24
   10.0.0.0/8
   

   Explain Code

4. Alternatively, configure Denied IP/Mask to block specific addresses.

5. Click Save.

Configure Directory Permissions

Directory permissions grant fine-grained access controls per path within a user's root directory.

1. Navigate to Users, click Actions next to the target user, and select Edit.

2. Expand the ACLs section and under Per-directory permissions, configure directory-level access:

   • Click Add to create a new permission entry.
   • Specify the Path (for example, /uploads).
   • Select allowed operations: List, Download, Upload, Delete, Rename, Create directories.

3. Click Save.

Configure Event Notifications and Logging

SFTPGo provides built-in logging, syslog forwarding, and HTTP webhook event hooks that replace AWS Transfer Family's CloudWatch integration. Log files capture protocol activity and authentication events, while event hooks trigger actions on filesystem operations such as uploads or downloads.

Configure File Logging

1. Create the logs directory.

   console Copy

   $ mkdir -p ~/sftpgo/logs
   

   Explain Code

2. Open the Docker Compose file.

   console Copy

   $ nano ~/sftpgo/docker-compose.yml
   

   Explain Code

3. Append the logs volume to the existing volumes: block under the sftpgo service:

   yaml Copy

   - ./logs:/var/log/sftpgo
   

   Explain Code

4. Append the following logging environment variables to the existing environment: block under the sftpgo service:

   yaml Copy

   - SFTPGO_LOG_FILE_PATH=/var/log/sftpgo/sftpgo.log
   - SFTPGO_LOG_MAX_SIZE=10
   - SFTPGO_LOG_MAX_BACKUPS=5
   - SFTPGO_LOG_MAX_AGE=28
   - SFTPGO_LOG_LEVEL=info
   

   Explain Code

   Save and close the file.

5. Redeploy the container.

   console Copy

   $ docker compose up -d
   

   Explain Code

Configure Event Hooks

SFTPGo supports HTTP webhooks for event notifications.

1. Navigate to Event Manager, then click Actions in the left sidebar.

2. Click Add to create a new action.

3. Configure the action:

   • Name: Enter an action name (for example, webhook-action).
   • Type: Select HTTP.
   • Server URL: Enter your webhook URL.
   • Method: Select POST.

4. Click Save.

5. Click Rules in the left sidebar.

6. Click Add to create a new event rule.

7. Configure the event trigger:

   • Name: Enter a descriptive name (for example, upload-notification).
   • Trigger: Select Filesystem events.
   • Filesystem events: Select Upload.

8. Under Actions, select the action you created in the previous step.

9. Click Save.

Configure Syslog Integration

Forward logs to a centralized logging system.

1. Append the following syslog environment variables to the existing environment: block under the sftpgo service in docker-compose.yml. Replace SYSLOG-SERVER with your syslog server address.

   yaml Copy

   - SFTPGO_SYSLOG__ENABLED=true
   - SFTPGO_SYSLOG__ADDRESS=udp://SYSLOG-SERVER:514
   - SFTPGO_SYSLOG__FACILITY=local0
   

   Explain Code

2. Redeploy the container.

   console Copy

   $ docker compose up -d
   

   Explain Code

Test the Deployment

Verify the deployment by testing connections across the enabled protocols. The following sections cover password-based SFTP, SSH key-based SFTP, and FTP/S connections.

Test SFTP with Password Authentication

1. Create a test file on the client machine.

   console Copy

   $ echo "Hello SFTPGo" > testfile.txt
   

   Explain Code

2. Connect to the SFTP server. Replace USERNAME with your SFTPGo username and sftp.example.com with your configured domain.

   console Copy

   $ sftp -P 2022 USERNAME@sftp.example.com
   

   Explain Code

3. Enter the password when prompted.

4. Upload the test file.

   console Copy

   sftp> put testfile.txt
   

   Explain Code

5. Download the file to verify.

   console Copy

   sftp> get testfile.txt /tmp/testfile-downloaded.txt
   

   Explain Code

6. List the directory contents.

   console Copy

   sftp> ls -la
   

   Explain Code

7. Exit the session.

   console Copy

   sftp> exit
   

   Explain Code

Test SFTP with SSH Key Authentication

1. Connect using the private key. Replace USERNAME with your SFTPGo username and sftp.example.com with your configured domain.

   console Copy

   $ sftp -i ~/.ssh/sftpgo_key -P 2022 USERNAME@sftp.example.com
   

   Explain Code

   The SFTP session opens without prompting for a password, confirming SSH key authentication is working.

2. Type exit to close the session.

   console Copy

   sftp> exit
   

   Explain Code

Test FTP/S with lftp

1. Install the lftp client on the local machine.

   console Copy

   $ sudo apt install lftp -y
   

   Explain Code

2. Connect with explicit TLS. Replace USERNAME with your FTP username and sftp.example.com with your configured domain.

   console Copy

   $ lftp -u USERNAME -p 2121 ftp://sftp.example.com
   

   Explain Code

3. List files to verify the connection.

   console Copy

   lftp> ls
   

   Explain Code

4. Type exit to close the session.

   console Copy

   lftp> exit
   

   Explain Code

Migrate from AWS Transfer Family to SFTPGo

Migrating from AWS Transfer Family to SFTPGo involves exporting users, transferring file data, and updating client connection details. The following subsections cover each migration phase along with AWS-specific features that require manual reconfiguration.

User Migration

Export user configurations from AWS Transfer Family and recreate them in SFTPGo.

1. List AWS Transfer Family users using the AWS CLI.

   console Copy

   $ aws transfer list-users --server-id SERVER-ID
   

   Explain Code

2. Export user details including SSH keys.

   console Copy

   $ aws transfer describe-user --server-id SERVER-ID --user-name USERNAME
   

   Explain Code

3. For each user, note the following information:

   • Username.
   • SSH public keys.
   • Home directory mapping.
   • IAM role (for permission reference only — IAM roles cannot be directly migrated to SFTPGo).

4. Generate an SFTPGo API access token using the admin credentials. Replace ADMIN-USERNAME and ADMIN-PASSWORD with your SFTPGo admin credentials and sftp.example.com with your configured domain.

   console Copy

   $ curl -u ADMIN-USERNAME:ADMIN-PASSWORD https://sftp.example.com/api/v2/token
   

   Explain Code

   The response contains an access_token value. Copy it for use in the next step. The token expires after 15 minutes.

5. Create corresponding users in SFTPGo via the REST API.

   console Copy

   $ curl -X POST "https://sftp.example.com/api/v2/users" \
       -H "Authorization: Bearer ACCESS-TOKEN" \
       -H "Content-Type: application/json" \
       -d '{
         "username": "USERNAME",
         "password": "PASSWORD",
         "status": 1,
         "public_keys": ["SSH-PUBLIC-KEY"],
         "home_dir": "/srv/sftpgo/data/USERNAME",
         "permissions": {"/": ["*"]}
       }'
   

   Explain Code

   Replace:

   • sftp.example.com with your configured domain.
   • ACCESS-TOKEN with the token from the previous step.
   • USERNAME with the new SFTP username.
   • PASSWORD with a strong password for the user.
   • SSH-PUBLIC-KEY with the user's SSH public key string.

   The "status": 1 field activates the user account. Without it, the user is created in a disabled state and cannot log in.

Data Migration

Transfer files from S3 to your SFTPGo storage backend.

1. If using S3 backend with SFTPGo, configure the same bucket or migrate data between buckets:

   console Copy

   $ aws s3 sync s3://transfer-family-bucket s3://sftpgo-bucket
   

   Explain Code

2. For local filesystem backend, use the AWS CLI to download files:

   console Copy

   $ aws s3 sync s3://transfer-family-bucket ~/sftpgo/data/USERNAME/
   

   Explain Code

3. Set correct ownership on downloaded files.

   console Copy

   $ sudo chown -R 1000:1000 ~/sftpgo/data/
   

   Explain Code

Authentication Migration

Convert AWS IAM-based authentication to SFTPGo methods.

AWS Authentication	SFTPGo Equivalent
SSH Public Keys	Public Keys (direct migration).
IAM User Credentials	Password Authentication.
AWS Directory Service	LDAP Plugin.
Custom Identity Provider	External Authentication Hook.

For custom identity providers, configure an external authentication hook:

1. Create an authentication script or HTTP endpoint that validates credentials.

2. Configure SFTPGo to use external authentication:

   json Copy

   {
     "data_provider": {
       "external_auth_hook": "http://auth-server:8000/validate",
       "external_auth_scope": 0
     }
   }
   

   Explain Code

Client Configuration Updates

Update client applications with the new endpoint information.

1. Document the new connection parameters:

   • Host: sftp.example.com (your SFTPGo server).
   • Port: 2022 (SFTP).
   • Authentication: SSH key or password.
   • Protocol: SFTP.

2. Distribute updated connection profiles to users.

3. Update automated scripts and integrations with the new endpoint.

4. Test each client configuration before decommissioning AWS Transfer Family.

Things to Consider During Migration

Address the following AWS-specific features when migrating:

• IAM Role Permissions: Map IAM policy permissions to SFTPGo user permissions. SFTPGo uses directory-level permissions rather than IAM policies.
• S3 Lifecycle Policies: SFTPGo does not manage S3 lifecycle rules. Configure lifecycle policies directly in your S3-compatible storage provider.
• CloudWatch Logs: Replace CloudWatch logging with SFTPGo's built-in logging, syslog forwarding, or webhook integrations.
• VPC Endpoints: AWS Transfer Family VPC endpoints provide private connectivity. For SFTPGo, use private networks or VPN connections for internal-only access.
• Managed Host Keys: AWS Transfer Family manages SSH host keys automatically. Export the host key from SFTPGo (/var/lib/sftpgo/id_*) and distribute the fingerprint to clients to prevent man-in-the-middle warnings.
• Elastic IPs: If clients rely on static IP addresses, configure a reserved IP on your server.

Conclusion

You have successfully deployed SFTPGo as a self-hosted alternative to AWS Transfer Family using Docker Compose with Traefik for automatic HTTPS. The configuration includes multi-protocol support (SFTP, FTP/S, WebDAV), S3-compatible storage backends, user authentication with SSH keys and passwords, user quotas, bandwidth throttling, IP restrictions, and per-directory permissions. For advanced configuration options including clustering, plugins, and enterprise features, visit the official SFTPGo documentation.