Restic uses the sha256 hash to calculate filenames based on the file
content. Check on the rest-server side that the uploaded file is intact
and reject it otherwise.
Restore the previous behaviour where the Prometheus /metrics endpoint
required auth if auth was enabled.
A new -prometheus-no-auth flag allows you to override this and disable
auth for that specific endpoint.
- Helper method for internal server errors with consistent logging.
- Add PanicOnError option to panic on internal server errors. This
makes it easier to traces where the condition was hit in testing.
- Do not allow '.' as path component, because it undermines depth
checks, and add tests
- Fix GiB reporting
- Fix metrics label
- Helper function for http errors
This contains all the glue to make Server use the new repo.Handler:
- Remove all old handlers
- Add ServeHTTP to make Server a single http.Handler
- Remove Goji routing and replace by net/http and custom routing logic
Additionally, this implements two-level backup repositories.
Refactor the old HTTP handlers to fit the purpose of the new
http.Handler:
- repo.New function to instantiate a handler for a single repo (can be done
dynamically for every request)
- Single ServeHTTP entrypoint
- Move quota management to two methods that will be implemented later
(stubs for now)
- Move metrics update to an external function (BlobMetricFunc type)
- Use constants and options for file modes
The systemd administrator may wish to use additional resource control
facilities which systemd provides. Document the existence of these, and
provide some example options in commented form.
The supplied systemd unit file places some basic security restrictions
on the rest service. This patch enhances those, and improves the
overall security assessment score given by `systemd-analyze security`
from "8.3 EXPOSED" to "1.3 OK".
Closes#148
Using docker's multi-stage builds we can build the restic/rest-server
within a golang build environment then create a container for use
(without the build environment) in a second build stage.
The advantages are:
1. Building the rest-server is predictable in a pristine environment
each time.
2. Container builds ensure we get the latest rest-server every time.
Updated README with details of new docker build approach, and added
changelog for unreleased changes.
"/" is valid char in HTTP authorization headers, but is also used in
rest-server to map usernames to private repos.
This commit prevents loading maliciously composed usernames like
"/foo/config" by restricting the allowed characters to the unicode
character class, numbers, "-", "." and "@".
Closes#131
In addition to any existing filesystem restrictions on the (www-data)
backup user these config options uses namespaces and other kernel
features to further restrict what the _rest-server_ is allowed to do.
* `ProtectSystem=strict` and `ReadWritePaths=/path/to/backups` ensures
that the _rest-server_ is only allowed to write to its data directory.
* `ProtectHome=yes` and `PrivateTmp=yes` limits what the _rest-server_
gets (read) access to.
* `NoNewPrivileges=yes` prevents the _rest-server_ from using setuid
binaries, etc to escalate its privileges.
See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
for further details
While at I also replaced the _/tmp/restic_ path with a more explicit
placeholder path. Given that one rarely wants to backup to _/tmp_ I
figured it better to force a choice of path rather than to have
someone accidentally end up using _/tmp/restic_ for their backups.
