Setting Up Your Own Sync Server

Thanks to Kanbani built around well-known technologies, it’s very easy to obtain your own private server for holding sync data if you don’t want to trust a third-party service (even as sweet as PDApps!).

SFTP

SFTP is by far the simplest method to set up, and yet quite secure. SFTP (not to be confused with FTP or FTPS) is a file transfer protocol over SSH used by virtually every Unix server out there.

Order a virtual private server (not virtual hosting!) from a hosting provider of your choice. You will receive your server’s IP address, login (username) and a password. Enter this data into Kanbani’s sync profile settings and you are done.

WebDAV

WebDAV was specifically tailored for multi-user distributed access and is the recommended method when multiple clients have a chance of syncing one board at the same time.

Many services support WebDAV under the hood – be it big players like Google Drive and Yandex Disk or OwnCloud – a popular open-source “cloud drive” solution.

Alternatively, you can rely on bare-bone Apache (httpd) if you only need WebDAV for syncing Kanbani data. Edit the configuration file like so, assuming your DocumentRoot is /var/www:

<Directory "/var/www/dav">
    Dav On
</Directory>
DavLockDB /var/run/DavLockDB

Now create an empty directory for DAV (/var/www/dav), enable the module (a2enmod dav_fs) and restart Apache. Use https://your_server/dav as Kanbani’s Base URL.

FTP

Most users should avoid using FTP.

FTP is an old protocol that doesn’t support transport-level encryption. Kanbani’s encryption (if used) makes your data safe, but your FTP credentials, board IDs and other “meta-data” is sent unencrypted over the network (big problem when using a public Wi-Fi).

FTP can be still used in a LAN or over a corporate VPN or other secure tunnel.

One popular Unix FTP server is vsftpd:

  1. Create a new system user: useradd -m kanbani.
  2. Assign it a password: passwd kanbani.
  3. Edit /etc/vsftpd.user_list: enter the string kanbani (it lists users allowed to access the FTP, one login per line).
  4. Edit /etc/vsftpd.conf: below is the minimal configuration, consult man vsftpd.conf for details:
    connect_from_port_20=YES
    listen=YES
    local_enable=YES
    userlist_deny=NO
    userlist_enable=YES
    write_enable=YES
    

Restart vsftpd and test connectivity by executing ftp 127.0.0.1 and entering login credentials. If it works, enter the same credentials into Kanbani’s sync profile (Base URL should be the server’s real IP, not 127.0.0.1).

Security Tips

This section is for system administrators and advanced users.

Public Servers Warning

By default, all protocols allow any client to modify files uploaded by other clients. This is a problem on public servers (sync profiles used by unfamiliar people): unencrypted sync data can be viewed and changed while encrypted data can be corrupted or deleted, disturbing other users.

There is no simple way to address this issue, and “fixing” WebDAV seems easier than others: it’s HTTP-based and therefore regular URL-based access restrictions can be used. For example, PDApps’ own public WebDAV server requires that the URL contains at least two path components, rejecting requests to / and /foo.

Securing SFTP

Your hosting provider may give you either a username root or some other one. In any case, this user is equivalent to Windows’ Administrator and has special powers over your server. It should not be used if sharing a sync profile with other people (this will allow them to change the password and lock you out).

Instead, create a new, regular user by logging into your server (using putty on Windows) and executing these commands (if you were not given root, prepend each line with sudo + space):

useradd -m kanbani
password kanbani

Now use kanbani instead of root in the sync profile.

Furthermore, you can restrict this user to SFTP access only. Add these lines to /etc/ssh/sshd_config and reload ssh:

Match User kanbani
    ForceCommand internal-sftp

Note: Kanbani supports SSH keys instead of passwords; keys are more secure but sharing them is more difficult: only their local device path is encoded in QR code and you have to manually transfer the actual key file to the device.

Securing WebDAV

If using Apache as explained above, your WebDAV directory is accessible to anyone who knows its URL, including various robots. It’s recommended to protect it with a login/password combination.

Add this to your configuration file:

<Directory "/var/www/dav">
    Require valid-user
    AuthUserFile /etc/dav.passwd
</Directory>

Run this command to set the password:

htpasswd -c /etc/dav.passwd kanbani

Securing FTP

Like SFTP, users of vsftpd may access the server via SFTP and SSH by default. To restrict them to FTP only, add check_shell=NO to /etc/vsftpd.conf and run usermod -s /bin/false kanbani.

To allow SFTP and FTP access but deny SSH, add the Match User block to sshd_config as described above.