Secure File Transfer On-Premises with Docker — Xferity Deployment Guide
Secure File Transfer On-Premises with Docker
Section titled “Secure File Transfer On-Premises with Docker”This guide covers deploying Xferity as a secure, self-hosted MFT platform using Docker or Docker Compose on your own infrastructure.
Why self-hosted on Docker
Section titled “Why self-hosted on Docker”Teams choose self-hosted Docker deployment when they need:
- Direct control over where transfer runtime and data live
- No mandatory cloud dependencies or SaaS transfer service
- Consistent deployment across environments (staging, production)
- Integration with existing container infrastructure
- Air-gapped or restricted-network operation
Option A: Single container (file-backed, no database)
Section titled “Option A: Single container (file-backed, no database)”Use this for simple deployments without a database dependency.
1. Pull or build the image
Section titled “1. Pull or build the image”The repository includes a multi-stage Dockerfile.
docker build -t xferity:latest .2. Prepare runtime directories
Section titled “2. Prepare runtime directories”/app/config/ # global config and partner YAML files/app/flows/ # flow YAML files/app/state/ # local state files/app/logs/ # application logs/app/audit/ # audit JSONL file/app/storage/ # staging and landing paths/app/keys/ # PGP keys and certificates3. Run the container
Section titled “3. Run the container”docker run -d \ -v /host/config:/app/config \ -v /host/flows:/app/flows \ -v /host/state:/app/state \ -v /host/logs:/app/logs \ -v /host/audit:/app/audit \ -v /host/storage:/app/storage \ -v /host/keys:/app/keys \ -e SFTP_PASSWORD=your-secret \ -p 8080:8080 \ xferity:latest run-service my-flow --interval-seconds 300Option B: Docker Compose with PostgreSQL (full feature set)
Section titled “Option B: Docker Compose with PostgreSQL (full feature set)”Use this for production deployments with the full control plane.
1. Use the included Compose file
Section titled “1. Use the included Compose file”The repository includes docker-compose.yml with the xferity service and mounts for all runtime paths.
docker compose up xferity2. Add PostgreSQL for full features
Section titled “2. Add PostgreSQL for full features”services: postgres: image: postgres:15 environment: POSTGRES_DB: xferity POSTGRES_USER: xferity POSTGRES_PASSWORD_FILE: /run/secrets/pg_password volumes: - pgdata:/var/lib/postgresql/data secrets: - pg_password
xferity: image: xferity:latest depends_on: - postgres volumes: - ./config:/app/config - ./flows:/app/flows - ./state:/app/state - ./logs:/app/logs - ./audit:/app/audit - ./storage:/app/storage - ./keys:/app/keys environment: STATE_BACKEND: postgres POSTGRES_DSN: "postgres://xferity:${PG_PASSWORD}@postgres:5432/xferity?sslmode=require" secrets: - pg_password ports: - "8080:8080"Security hardening for Docker deployment
Section titled “Security hardening for Docker deployment”Use secret references — never plaintext environment variables in production
Section titled “Use secret references — never plaintext environment variables in production”Instead of SFTP_PASSWORD=mypassword, use Docker secrets:
echo "mypassword" | docker secret create sftp_password -Reference in config:
auth: password: file:/run/secrets/sftp_passwordEnable hardened mode
Section titled “Enable hardened mode”Add to global config:
security: hardened_mode: trueWith hardened mode enabled, Xferity refuses to start if:
- Plaintext credentials are found in sensitive config fields
- Postgres
sslmodeis set todisable - SFTP hosts have
allow_insecure_host_key: true - FTPS partners have
skip_verify: true - The UI is exposed without authentication configuration
Mount audit log to a durable host path
Section titled “Mount audit log to a durable host path”volumes: - /persistent/audit:/app/auditAudit logs should persist on the host — not inside the container. For evidence retention, export or ship to an external system.
Lock down container permissions
Section titled “Lock down container permissions”The Xferity Dockerfile creates a non-root user. Do not override this. Do not run as root.
SFTP and FTPS partner trust in Docker
Section titled “SFTP and FTPS partner trust in Docker”SFTP: host key fingerprint
Section titled “SFTP: host key fingerprint”The fingerprint approach works cleanly in Docker — no file mounting needed:
host_key_fingerprint: "SHA256:abc123..."Or mount a known_hosts file:
known_hosts: file:/app/keys/partners/acme_known_hostsFTPS: certificate fingerprint
Section titled “FTPS: certificate fingerprint”server_cert_fingerprint: "SHA256:xyz789..."Air-gapped Docker deployment
Section titled “Air-gapped Docker deployment”Xferity requires no mandatory outbound internet connections:
- License validation is local by default
- No phone-home or telemetry
- HashiCorp Vault, AWS SM, Azure KV are all optional
env:andfile:secret providers work fully offline- Local AES-256 vault works in Postgres-backed mode without external services
For fully offline installations:
- Build the Docker image in a connected environment
- Export:
docker save xferity:latest > xferity.tar - Transfer to air-gapped host
- Import:
docker load < xferity.tar
Health and monitoring in Docker
Section titled “Health and monitoring in Docker”Liveness and readiness
Section titled “Liveness and readiness”healthcheck: test: ["CMD", "wget", "-q", "-O-", "http://localhost:8080/health/worker"] interval: 30s timeout: 5s retries: 3/health/worker is unauthenticated — safe for container orchestration probes.
Prometheus scraping
Section titled “Prometheus scraping”Add Prometheus scraper to your monitoring stack pointing to /metrics (authenticated admin access).
Xferity supports
Section titled “Xferity supports”- AS2 (with MDN)
- SFTP / FTPS
- OpenPGP + CMS
- Durable job execution
- Retry and resume
- Air-gapped deployment