Guide

What is an SFTP proxy (or SFTP gateway)?

An SFTP proxy sits between SFTP clients and a backend store, translating SFTP into something else (often cloud object storage). Here's what it does, why you'd use one, and how it differs from an SFTP server.

An SFTP proxy (also called an SFTP gateway) is a service that speaks SFTP to clients on one side and talks to a different backend on the other, translating between the two. The most common use today is bridging SFTP and cloud object storage: clients connect with an ordinary SFTP client, and their files land in Amazon S3, Azure Blob, or Google Cloud Storage.

Proxy vs server: the distinction

  • A traditional SFTP server (OpenSSH, FileZilla Server) stores files on its own local disk. The SFTP session and the storage are the same machine.
  • An SFTP proxy/gateway doesn’t store files itself. It accepts the SFTP session, then reads and writes the bytes to a separate backend, usually cloud object storage. The storage and the protocol are decoupled.

That decoupling is the whole point: you get an SFTP interface on top of storage that doesn’t natively speak SFTP, without that storage having to change.

Why use one

  • Your storage doesn’t speak SFTP. S3, Azure Blob, GCS, and S3-compatible stores expose HTTP APIs, not SFTP. A proxy gives them an SFTP front door. See how an SFTP proxy works.
  • You don’t want to run a server. A managed proxy means no patching, scaling, or disk to manage.
  • You want files in storage you own. A bring-your-own-bucket proxy keeps data in your own cloud account, rather than on a vendor’s platform.
  • You need per-user access and audit on top of storage that has no concept of “SFTP users”. The proxy adds credentials, path jails, and an audit trail.

What a good SFTP proxy adds

  • Per-user credentials (SSH keys or passwords), each path-jailed to its own prefix.
  • Least-privilege backend access: a scoped role or key it can use, and you can revoke.
  • An audit trail of connections and transfers.
  • Instant revoke and, ideally, source-IP pinning per credential.
  • Graceful handling of the places object storage isn’t a filesystem (no in-place edit, no atomic rename), failing loudly rather than corrupting data.

Proxy vs hosted platform

An SFTP proxy is not the same as a hosted file-transfer platform (Files.com, ExaVault). A proxy is a thin translation layer in front of your storage; a platform typically stores your files on its service and bundles a broad feature set. If all you need is an SFTP interface onto a bucket you own, a proxy is the lighter, cheaper fit. The trade-offs are in SFTP gateway vs MFT.

In short

An SFTP proxy gives cloud object storage an SFTP interface it doesn’t have on its own, while keeping your files in storage you control and adding the user management, jailing, and auditing that raw object storage lacks. To see one in action on your own bucket, start with SFTP to S3.

Try it on your own bucket

Connect a bucket you already own, Amazon S3, Azure Blob, Google Cloud Storage, or an S3-compatible store, and hand out a clean SFTP endpoint in minutes. Your files stay in your cloud.

Start free

← All guides