Something Old, Something New, Something Borrowed, Something Something Something
It’s been a few months since I posted anything technology related, primarily because there hasn’t been much going on at work. We’ve been prepping for an A&A (Assessment & Authorization) review, which should lead to our receiving a favorable ATO (Authority To Operate). The A&A is basically a technological colonoscopy of every vulnerability of every piece of software you have, may have, would like to have, or thought you should have. God help you if you forget something. Our document was, if I recall correctly, around 125 pages long, of which there were over 700 distinct pieces of software. It took three people almost 4 months to write it, and for the last 7 months it’s been sitting in the mailbox queue of the cybersecurity office. One of those pieces of software is Nextcloud, an open source web-based file sharing system.
What’s made Nextcloud sort of a big deal for my program is the potential it offers. You see, the purpose of the program I’m on is to facilitate collaboration between scientists and engineers of the AFRL (Air Force Research Laboratory). There are around 7,000 of them scattered all across the US at a couple dozen research laboratories, and getting data from DREN (Defense Research Enterprise Network) to NIPRnet (Non-classified Internet Protocol Routing Network) and back has been a HUUUUUUUUGE problem.
That’s where my project comes in. Currently we offer SFTP services for users, but let’s face it – our scientists and engineers may be massive nerds and super intelligent men and women, but some of them would rather face a firing squad than try and utilize Linux. So about 11 months ago I was tasked with implementing a Nextcloud server to determine feasibility. That was relatively easy, and successful, so we proceeded to Stage 2, which involved customizing the system to move massive files. The AFRL CITO council either wanted to shoot for the moon, or they wanted to permanently ground the project, so the primary conditions for grading success were being able to reliably upload and download a 10GB file.
It took me a couple months to work some of the kinks out. First I had to overcome the limitations of our servers, specifically that we used a RedHat variant, and one of the sticking points is they haven’t upgraded PHP beyond version 5.4, and in order to move a file larger than 1.5GB I needed to use PHP 5.6 or higher. Once that hurdle was overcome there was the issue of access and authorization, but fortunately Nextcloud had an LDAP module that just needed the right information to get working. I kept tweaking the PHP.ini files until not only had I met the goal of 10GB file transfer, but blown it away by getting up to 20GB. 20GB file transfers using HTTPS is a pretty big deal, and with a 10Gb pipe a file that large takes about 2 minutes to transfer. Tests all showed the system was reliable and damn near idiot-proof.
And there it sat for the next 8-9 months. I was the only person using it, because I was the only person who could access it. I’d been ordered to disable LDAP so no one could log into the system, so instead of letting it go to waste I used it to transfer files back and forth from DREN to NIPRnet and back. I made it something of a humorous note that at our bi-weekly meetings I would always demand that Nextcloud be given its moment in the sun. I was firmly convinced (and I still am) that Nextcloud was going to be a game-changer for us. Still, nothing.
Then the director of the AFRL got a gander at the A&A queue and flipped his lid when he saw that our packet had been sitting there for over 8 months. Fires were lit, asses were toasted, and new gears were found to kick things into motion.
As I’d been waiting for the heat death of the universe I’d done additional research and casually mentioned that it might be possible to use Nextcloud as the front-end for our SFTP servers. Our government project manager looked like I’d handed him the golden ticket and the memo went out – “Get that shit tested and confirmed!” It took me a couple days, but I tested it and confirmed we were good-to-go and even wrote up a “Nextcloud as SFTP Front-End for Dummies” guide (I kid you not, that’s exactly what I named the document, and no one fought me too hard on the naming). I enabled an add-on, tested with a number of accounts to confirm it worked, then took screen shots and made a pretty paint-by-numbers document so simple a 10-yr old could do it (which, by the way, we actually had try it out).
I was beyond stoked, and it’s probably one of my proudest achievements as a systems administrator. In another post I’ll document all the steps that went into getting a RedHat/CentOS derivative distro working and running Nextcloud 12 with PHP 5.6.30, and capable of transferring 20GB files.