Merge pull request #364 from mattxtaz/master

Remove full stop from log line to be consistent with all other log lines

.github/dependabot.yml

@@ -5,6 +5,10 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+    groups:
+      golang-x-deps:
+        patterns:
+          - "golang.org/x/*"
 
   # Dependencies listed in .github/workflows/*.yml
   - package-ecosystem: "github-actions"

.github/workflows/tests.yml

@@ -13,28 +13,40 @@ permissions:
   contents: read
 
 env:
-  latest_go: "1.23.x"
+  latest_go: "1.25.x"
   GO111MODULE: on
 
 jobs:
   test:
     strategy:
       matrix:
-        go:
-          - 1.23.x
-          - 1.22.x
-    runs-on: ubuntu-latest
-    name: Go ${{ matrix.go }}
+        include:
+          - job_name: Linux
+            go: 1.25.x
+            os: ubuntu-latest
+            check_changelog: true
+
+          - job_name: Linux (race)
+            go: 1.25.x
+            os: ubuntu-latest
+            test_opts: "-race"
+
+          - job_name: Linux
+            go: 1.24.x
+            os: ubuntu-latest
+
+    name: ${{ matrix.job_name }} Go ${{ matrix.go }}
+    runs-on: ${{ matrix.os }}
 
     env:
       GOPROXY: https://proxy.golang.org
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Go ${{ matrix.go }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go }}
 
@@ -46,7 +58,7 @@ jobs:
 
       - name: Run local Tests
         run: |
-          go test ./...
+          go test -cover ${{matrix.test_opts}} ./...
 
       - name: Check changelog files with calens
         run: |
@@ -55,6 +67,7 @@ jobs:
 
           echo "check changelog files"
           calens
+        if: matrix.check_changelog
 
   lint:
     name: lint
@@ -65,18 +78,18 @@ jobs:
       checks: write
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Go ${{ env.latest_go }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ env.latest_go }}
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v9
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.63.4
+          version: v2.4.0
           args: --verbose --timeout 5m
 
         # only run golangci-lint for pull requests, otherwise ALL hints get

.golangci.yml

@@ -1,56 +1,47 @@
-# This is the configuration for golangci-lint for the restic project.
-#
-# A sample config with all settings is here:
-# https://github.com/golangci/golangci-lint/blob/master/.golangci.example.yml
-
+version: "2"
 linters:
   # only enable the linters listed below
-  disable-all: true
+  default: none
   enable:
+    - asciicheck
+    # ensure that http response bodies are closed
+    - bodyclose
+    - copyloopvar
     # make sure all errors returned by functions are handled
     - errcheck
-
-    # show how code can be simplified
-    - gosimple
-
-    # make sure code is formatted
-    - gofmt
-
     # examine code and report suspicious constructs, such as Printf calls whose
     # arguments do not align with the format string
     - govet
-
-    # make sure names and comments are used according to the conventions
-    - revive
-
+    # consistent imports
+    - importas
     # detect when assignments to existing variables are not used
     - ineffassign
-
+    - nolintlint
+    # make sure names and comments are used according to the conventions
+    - revive
     # run static analysis and find errors
     - staticcheck
-
     # find unused variables, functions, structs, types, etc.
     - unused
-
-    # parse and typecheck code
-    - typecheck
-
-    # ensure that http response bodies are closed
-    - bodyclose
-
-    - importas
-
-issues:
-  # don't use the default exclude rules, this hides (among others) ignored
-  # errors from Close() calls
-  exclude-use-default: false
-
-  # list of things to not warn about
-  exclude:
-    # revive: do not warn about missing comments for exported stuff
-    - exported (function|method|var|type|const) .* should have comment or be unexported
-    # revive: ignore constants in all caps
-    - don't use ALL_CAPS in Go names; use CamelCase
-    # revive: lots of packages don't have such a comment
-    - "package-comments: should have a package comment"
-    - "redefines-builtin-id:"
+  exclusions:
+    rules:
+      - path: (.+)\.go$
+        text: exported (function|method|var|type|const) .* should have comment or be unexported
+      - path: (.+)\.go$
+        text: don't use ALL_CAPS in Go names; use CamelCase
+      - path: (.+)\.go$
+        text: "package-comments: should have a package comment"
+      - path: (.+)\.go$
+        text: "redefines-builtin-id:"
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - gofmt
+  exclusions:
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

.goreleaser.yml

@@ -21,29 +21,27 @@ before:
 
 # build a single binary
 builds:
-  -
+  - id: default
     # make sure everything is statically linked by disabling cgo altogether
-    env:
+    env: &build_env
       - CGO_ENABLED=0
 
     # set the package for the main binary
     main: ./cmd/rest-server
 
     flags:
-      # don't include any paths to source files in the resulting binary
+      &build_flags # don't include any paths to source files in the resulting binary
       - -trimpath
 
-    mod_timestamp: '{{ .CommitTimestamp }}'
+    mod_timestamp: "{{ .CommitTimestamp }}"
 
-    ldflags:
-      # set the version variable in the main package
+    ldflags: &build_ldflags # set the version variable in the main package
       - "-s -w -X main.version={{ .Version }}"
 
     # list all operating systems and architectures we build binaries for
     goos:
       - linux
       - darwin
-      - windows
       - freebsd
       - netbsd
       - openbsd
@@ -52,7 +50,7 @@ builds:
 
     goarch:
       - amd64
-      - 386
+      - "386"
       - arm
       - arm64
       - mips
@@ -61,23 +59,39 @@ builds:
       - ppc64
       - ppc64le
     goarm:
-      - 6
-      - 7
+      - "6"
+      - "7"
+
+  - id: windows-only
+    env: *build_env
+    main: ./cmd/rest-server
+    flags: *build_flags
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    ldflags: *build_ldflags
+    goos:
+      - windows
+    goarch:
+      - amd64
+      - "386"
+      - arm
+      - arm64
 
 # configure the resulting archives to create
 archives:
-  -
+  - id: default
+    builds: [default, windows-only]
+    format: tar.gz
     # package a directory which contains the source file
     wrap_in_directory: true
 
     builds_info: &archive_file_info
       owner: root
       group: root
-      mtime: '{{ .CommitDate }}'
+      mtime: "{{ .CommitDate }}"
       mode: 0644
 
     # add these files to all archives
-    files:
+    files: &archive_files
       - src: LICENSE
         dst: LICENSE
         info: *archive_file_info
@@ -88,13 +102,20 @@ archives:
         dst: CHANGELOG.md
         info: *archive_file_info
 
+  - id: windows-only
+    builds: [windows-only]
+    formats: [zip]
+    wrap_in_directory: true
+    builds_info: *archive_file_info
+    files: *archive_files
+
 # also build an archive of the source code
 source:
   enabled: true
 
 # build a file containing the SHA256 hashes
 checksum:
-  name_template: 'SHA256SUMS'
+  name_template: "SHA256SUMS"
 
 # sign the checksum file
 signs:
@@ -128,7 +149,7 @@ dockers:
       - docker/entrypoint.sh
   - image_templates:
       - restic/rest-server:{{ .Version }}-i386
-    goarch: 386
+    goarch: "386"
     build_flag_templates:
       - "--platform=linux/386"
       - "--pull"
@@ -204,21 +225,20 @@ dockers:
     dockerfile: "Dockerfile.goreleaser"
     extra_files: *extra_files
 
-
 docker_manifests:
-- name_template: "restic/rest-server:{{ .Version }}"
-  image_templates:
-  - "restic/rest-server:{{ .Version }}-amd64"
-  - "restic/rest-server:{{ .Version }}-i386"
-  - "restic/rest-server:{{ .Version }}-arm32v6"
-  - "restic/rest-server:{{ .Version }}-arm32v7"
-  - "restic/rest-server:{{ .Version }}-arm64v8"
-  - "restic/rest-server:{{ .Version }}-ppc64le"
-- name_template: "restic/rest-server:latest"
-  image_templates:
-  - "restic/rest-server:{{ .Version }}-amd64"
-  - "restic/rest-server:{{ .Version }}-i386"
-  - "restic/rest-server:{{ .Version }}-arm32v6"
-  - "restic/rest-server:{{ .Version }}-arm32v7"
-  - "restic/rest-server:{{ .Version }}-arm64v8"
-  - "restic/rest-server:{{ .Version }}-ppc64le"
+  - name_template: "restic/rest-server:{{ .Version }}"
+    image_templates:
+      - "restic/rest-server:{{ .Version }}-amd64"
+      - "restic/rest-server:{{ .Version }}-i386"
+      - "restic/rest-server:{{ .Version }}-arm32v6"
+      - "restic/rest-server:{{ .Version }}-arm32v7"
+      - "restic/rest-server:{{ .Version }}-arm64v8"
+      - "restic/rest-server:{{ .Version }}-ppc64le"
+  - name_template: "restic/rest-server:latest"
+    image_templates:
+      - "restic/rest-server:{{ .Version }}-amd64"
+      - "restic/rest-server:{{ .Version }}-i386"
+      - "restic/rest-server:{{ .Version }}-arm32v6"
+      - "restic/rest-server:{{ .Version }}-arm32v7"
+      - "restic/rest-server:{{ .Version }}-arm64v8"
+      - "restic/rest-server:{{ .Version }}-ppc64le"

CHANGELOG.md

@@ -1,3 +1,98 @@
+Changelog for rest-server 0.14.0 (2025-05-31)
+============================================
+
+The following sections list the changes in rest-server 0.14.0 relevant
+to users. The changes are ordered by importance.
+
+Summary
+-------
+
+ * Sec #318: Fix world-readable permissions on new `.htpasswd` files
+ * Chg #322: Update dependencies and require Go 1.23 or newer
+ * Enh #174: Support proxy-based authentication
+ * Enh #189: Support group accessible repositories
+ * Enh #295: Output status of append-only mode on startup
+ * Enh #315: Hardened tls settings
+ * Enh #321: Add zip archive format for Windows releases
+
+Details
+-------
+
+ * Security #318: Fix world-readable permissions on new `.htpasswd` files
+
+   On startup the rest-server Docker container creates an empty `.htpasswd` file if
+   none exists yet. This file was world-readable by default, which can be a
+   security risk, even though the file only contains hashed passwords.
+
+   This has been fixed such that new `.htpasswd` files are no longer
+   world-readabble.
+
+   The permissions of existing `.htpasswd` files must be manually changed if
+   relevant in your setup.
+
+   https://github.com/restic/rest-server/issues/318
+   https://github.com/restic/rest-server/pull/340
+
+ * Change #322: Update dependencies and require Go 1.23 or newer
+
+   All dependencies have been updated. Rest-server now requires Go 1.23 or newer to
+   build.
+
+   This also disables support for TLS versions older than TLS 1.2. On Windows,
+   rest-server now requires at least Windows 10 or Windows Server 2016. On macOS,
+   rest-server now requires at least macOS 11 Big Sur.
+
+   https://github.com/restic/rest-server/pull/322
+   https://github.com/restic/rest-server/pull/338
+
+ * Enhancement #174: Support proxy-based authentication
+
+   Rest-server now supports authentication via HTTP proxy headers. This feature can
+   be enabled by specifying the username header using the `--proxy-auth-username`
+   option (e.g., `--proxy-auth-username=X-Forwarded-User`).
+
+   When enabled, the server authenticates users based on the specified header and
+   disables Basic Auth. Note that proxy authentication is disabled when `--no-auth`
+   is set.
+
+   https://github.com/restic/rest-server/issues/174
+   https://github.com/restic/rest-server/pull/307
+
+ * Enhancement #189: Support group accessible repositories
+
+   Rest-server now supports making repositories accessible to the filesystem group
+   by setting the `--group-accessible-repos` option. Note that permissions of
+   existing files are not modified. To allow the group to read and write file, use
+   a umask of `007`. To only grant read access use `027`. To make an existing
+   repository group-accessible, use `chmod -R g+rwX /path/to/repo`.
+
+   https://github.com/restic/rest-server/issues/189
+   https://github.com/restic/rest-server/pull/308
+
+ * Enhancement #295: Output status of append-only mode on startup
+
+   Rest-server now displays the status of append-only mode during startup.
+
+   https://github.com/restic/rest-server/pull/295
+
+ * Enhancement #315: Hardened tls settings
+
+   Rest-server now uses a secure TLS cipher suite set by default. The minimum TLS
+   version is now TLS 1.2 and can be further increased using the new
+   `--tls-min-ver` option, allowing users to enforce stricter security
+   requirements.
+
+   https://github.com/restic/rest-server/pull/315
+
+ * Enhancement #321: Add zip archive format for Windows releases
+
+   Windows users can now download rest-server binaries in zip archive format (.zip)
+   in addition to the existing tar.gz archives.
+
+   https://github.com/restic/rest-server/issues/321
+   https://github.com/restic/rest-server/pull/346
+
+
 Changelog for rest-server 0.13.0 (2024-07-26)
 ============================================
 

README.md

@@ -11,7 +11,7 @@ Rest Server is a high performance HTTP server that implements restic's [REST bac
 
 ## Requirements
 
-Rest Server requires Go 1.22 or higher to build.  The only tested compiler is the official Go compiler.
+Rest Server requires Go 1.24 or higher to build.  The only tested compiler is the official Go compiler.
 
 The required version of restic backup client to use with `rest-server` is [v0.7.1](https://github.com/restic/restic/releases/tag/v0.7.1) or higher.
 
@@ -32,24 +32,27 @@ Usage:
   rest-server [flags]
 
 Flags:
-      --append-only            enable append only mode
-      --cpu-profile string     write CPU profile to file
-      --debug                  output debug messages
-  -h, --help                   help for rest-server
-      --htpasswd-file string   location of .htpasswd file (default: "<data directory>/.htpasswd")
-      --listen string          listen address (default ":8000")
-      --log filename           write HTTP requests in the combined log format to the specified filename
-      --max-size int           the maximum size of the repository in bytes
-      --no-auth                disable .htpasswd authentication
-      --no-verify-upload       do not verify the integrity of uploaded data. DO NOT enable unless the rest-server runs on a very low-power device
-      --path string            data directory (default "/tmp/restic")
-      --private-repos          users can only access their private repo
-      --prometheus             enable Prometheus metrics
-      --prometheus-no-auth     disable auth for Prometheus /metrics endpoint
-      --tls                    turn on TLS support
-      --tls-cert string        TLS certificate path
-      --tls-key string         TLS key path
-  -v, --version                version for rest-server
+      --append-only                  enable append only mode
+      --cpu-profile string           write CPU profile to file
+      --debug                        output debug messages
+      --group-accessible-repos       let filesystem group be able to access repo files
+  -h, --help                         help for rest-server
+      --htpasswd-file string         location of .htpasswd file (default: "<data directory>/.htpasswd)"
+      --listen string                listen address (default ":8000")
+      --log filename                 write HTTP requests in the combined log format to the specified filename (use "-" for logging to stdout)
+      --max-size int                 the maximum size of the repository in bytes
+      --no-auth                      disable .htpasswd authentication
+      --no-verify-upload             do not verify the integrity of uploaded data. DO NOT enable unless the rest-server runs on a very low-power device
+      --path string                  data directory (default "/tmp/restic")
+      --private-repos                users can only access their private repo
+      --prometheus                   enable Prometheus metrics
+      --prometheus-no-auth           disable auth for Prometheus /metrics endpoint
+      --proxy-auth-username string   specifies the HTTP header containing the username for proxy-based authentication
+      --tls                          turn on TLS support
+      --tls-cert string              TLS certificate path
+      --tls-key string               TLS key path
+      --tls-min-ver string           TLS min version, one of (1.2|1.3) (default "1.2")
+  -v, --version                      version for rest-server
 ```
 
 By default the server persists backup data in the OS temporary directory (`/tmp/restic` on Linux/BSD and others, in `%TEMP%\\restic` in Windows, etc). **If `rest-server` is launched using the default path, all backups will be lost**. To start the server with a custom persistence directory and with authentication disabled:
@@ -68,7 +71,7 @@ If you want to disable authentication, you must add the `--no-auth` flag. If thi
 
 NOTE: In older versions of rest-server (up to 0.9.7), this flag does not exist and the server disables authentication if `.htpasswd` is missing or cannot be opened.
 
-By default the server uses HTTP protocol.  This is not very secure since with Basic Authentication, user name and passwords will be sent in clear text in every request.  In order to enable TLS support just add the `--tls` argument and add a private and public key at the root of your persistence directory. You may also specify private and public keys by `--tls-cert` and `--tls-key`.
+By default the server uses HTTP protocol.  This is not very secure since with Basic Authentication, user name and passwords will be sent in clear text in every request.  In order to enable TLS support just add the `--tls` argument and add a private and public key at the root of your persistence directory. You may also specify private and public keys by `--tls-cert` and `--tls-key` and set the minimum TLS version to 1.3 using `--tls-min-ver 1.3`.
 
 Signed certificate is normally required by the restic backend, but if you just want to test the feature you can generate password-less unsigned keys with the following command:
 
@@ -139,6 +142,16 @@ docker exec -it rest_server create_user myuser mypassword
 docker exec -it rest_server delete_user myuser
 ```
 
+## Proxy Authentication
+
+See above for no authentication (`--no-auth`) and basic authentication.
+
+To delegate authentication to a proxy, use the `--proxy-auth-username` flag. The specified header name, for example `X-Forwarded-User`,
+must be present in the request headers and specifies the username. Basic authentication is disabled when this flag is set.
+
+Warning: rest-server trusts the username in the header. It is the responsibility of the proxy
+to ensure that the username is correct and cannot be forged by an attacker.
+
 
 ## Prometheus support and Grafana dashboard
 
@@ -147,6 +160,10 @@ The server can be started with `--prometheus` to expose [Prometheus](https://pro
 This repository contains an example full stack Docker Compose setup with a Grafana dashboard in [examples/compose-with-grafana/](examples/compose-with-grafana/).
 
 
+## Group-accessible Repositories
+
+Rest-server supports making repositories accessible to the filesystem group by setting the `--group-accessible-repos` option. Note that permissions of existing files are not modified. To allow the group to read and write file, use a umask of `007`. To only grant read access use `027`. To make an existing repository group-accessible, use `chmod -R g+rwX /path/to/repo`.
+
 ## Why use Rest Server?
 
 Compared to the SFTP backend, the REST backend has better performance, especially so if you can skip additional crypto overhead by using plain HTTP transport (restic already properly encrypts all data it sends, so using HTTPS is mostly about authentication).

Release.md

@@ -34,7 +34,7 @@
    use another config file):
 
         goreleaser \
-          release \
+          release --parallelism 4 \
           --release-notes <(calens --template changelog/CHANGELOG-GitHub.tmpl --version "${VERSION}")
 
 7. Set a new version in `main.go` and commit the result:

VERSION

@@ -1 +1 @@
-0.13.0
+0.14.0

build.go

@@ -58,7 +58,7 @@ var config = Config{
 	Namespace:  "github.com/restic/rest-server",                 // subdir of GOPATH, e.g. "github.com/foo/bar"
 	Main:       "github.com/restic/rest-server/cmd/rest-server", // package name for the main package
 	Tests:      []string{"./..."},                               // tests to run
-	MinVersion: GoVersion{Major: 1, Minor: 22, Patch: 0},        // minimum Go version supported
+	MinVersion: GoVersion{Major: 1, Minor: 24, Patch: 0},        // minimum Go version supported
 }
 
 // Config configures the build.

changelog/0.14.0_2025-05-31/issue-189

@@ -0,0 +1,10 @@
+Enhancement: Support group accessible repositories
+
+Rest-server now supports making repositories accessible to the filesystem group
+by setting the `--group-accessible-repos` option. Note that permissions of
+existing files are not modified. To allow the group to read and write file,
+use a umask of `007`. To only grant read access use `027`. To make an existing
+repository group-accessible, use `chmod -R g+rwX /path/to/repo`.
+
+https://github.com/restic/rest-server/issues/189
+https://github.com/restic/rest-server/pull/308

changelog/0.14.0_2025-05-31/issue-318

@@ -0,0 +1,13 @@
+Security: Fix world-readable permissions on new `.htpasswd` files
+
+On startup the rest-server Docker container creates an empty `.htpasswd` file
+if none exists yet. This file was world-readable by default, which can be
+a security risk, even though the file only contains hashed passwords.
+
+This has been fixed such that new `.htpasswd` files are no longer world-readabble.
+
+The permissions of existing `.htpasswd` files must be manually changed if
+relevant in your setup.
+
+https://github.com/restic/rest-server/issues/318
+https://github.com/restic/rest-server/pull/340

changelog/0.14.0_2025-05-31/issue-321

@@ -0,0 +1,7 @@
+Enhancement: Add zip archive format for Windows releases
+
+Windows users can now download rest-server binaries in zip archive format (.zip)
+in addition to the existing tar.gz archives.
+
+https://github.com/restic/rest-server/issues/321
+https://github.com/restic/rest-server/pull/346

changelog/0.14.0_2025-05-31/pull-295

@@ -0,0 +1,5 @@
+Enhancement: Output status of append-only mode on startup
+
+Rest-server now displays the status of append-only mode during startup.
+
+https://github.com/restic/rest-server/pull/295

changelog/0.14.0_2025-05-31/pull-307

@@ -0,0 +1,12 @@
+Enhancement: Support proxy-based authentication
+
+Rest-server now supports authentication via HTTP proxy headers. This feature can
+be enabled by specifying the username header using the `--proxy-auth-username`
+option (e.g., `--proxy-auth-username=X-Forwarded-User`).
+
+When enabled, the server authenticates users based on the specified header and
+disables Basic Auth. Note that proxy authentication is disabled when `--no-auth`
+is set.
+
+https://github.com/restic/rest-server/issues/174
+https://github.com/restic/rest-server/pull/307

changelog/0.14.0_2025-05-31/pull-315

@@ -0,0 +1,7 @@
+Enhancement: Hardened tls settings
+
+Rest-server now uses a secure TLS cipher suite set by default. The minimum TLS
+version is now TLS 1.2 and can be further increased using the new `--tls-min-ver`
+option, allowing users to enforce stricter security requirements.
+
+https://github.com/restic/rest-server/pull/315

changelog/0.14.0_2025-05-31/pull-322

@@ -0,0 +1,11 @@
+Change: Update dependencies and require Go 1.23 or newer
+
+All dependencies have been updated. Rest-server now requires Go 1.23 or newer
+to build.
+
+This also disables support for TLS versions older than TLS 1.2. On Windows,
+rest-server now requires at least Windows 10 or Windows Server 2016. On macOS,
+rest-server now requires at least macOS 11 Big Sur.
+
+https://github.com/restic/rest-server/pull/322
+https://github.com/restic/rest-server/pull/338

changelog/unreleased/pull-295

@@ -1,5 +0,0 @@
-Enhancement: Output status of append only mode on startup
-
-Rest-server now outputs whether append only mode has been enabled on startup.
-
-https://github.com/restic/rest-server/pull/295

changelog/unreleased/pull-322

@@ -1,9 +0,0 @@
-Change: Update dependencies and require Go 1.22 or newer
-
-We have updated all dependencies. Since some libraries require newer Go standard
-library features, support for Go 1.18 to 1.21 has been dropped, which means
-that rest-server now requires at least Go 1.22 to build.
-
-This also disables support for TLS versions older than TLS 1.2.
-
-https://github.com/restic/rest-server/pull/322

changelog/unreleased/pull-373

@@ -0,0 +1,6 @@
+Change: Update dependencies and require Go 1.24 or newer
+
+All dependencies have been updated. Rest-server now requires Go 1.24 or newer
+to build.
+
+https://github.com/restic/rest-server/pull/373

cmd/rest-server/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"log"
@@ -45,8 +46,9 @@ func newRestServerApp() *restServerApp {
 			Version: fmt.Sprintf("rest-server %s compiled with %v on %v/%v\n", version, runtime.Version(), runtime.GOOS, runtime.GOARCH),
 		},
 		Server: restserver.Server{
-			Path:   filepath.Join(os.TempDir(), "restic"),
-			Listen: ":8000",
+			Path:      filepath.Join(os.TempDir(), "restic"),
+			Listen:    ":8000",
+			TLSMinVer: "1.2",
 		},
 	}
 	rv.CmdRoot.RunE = rv.runRoot
@@ -61,19 +63,22 @@ func newRestServerApp() *restServerApp {
 	flags.BoolVar(&rv.Server.TLS, "tls", rv.Server.TLS, "turn on TLS support")
 	flags.StringVar(&rv.Server.TLSCert, "tls-cert", rv.Server.TLSCert, "TLS certificate path")
 	flags.StringVar(&rv.Server.TLSKey, "tls-key", rv.Server.TLSKey, "TLS key path")
-	flags.BoolVar(&rv.Server.NoAuth, "no-auth", rv.Server.NoAuth, "disable .htpasswd authentication")
+	flags.StringVar(&rv.Server.TLSMinVer, "tls-min-ver", rv.Server.TLSMinVer, "TLS min version, one of (1.2|1.3)")
+	flags.BoolVar(&rv.Server.NoAuth, "no-auth", rv.Server.NoAuth, "disable authentication")
 	flags.StringVar(&rv.Server.HtpasswdPath, "htpasswd-file", rv.Server.HtpasswdPath, "location of .htpasswd file (default: \"<data directory>/.htpasswd)\"")
+	flags.StringVar(&rv.Server.ProxyAuthUsername, "proxy-auth-username", rv.Server.ProxyAuthUsername, "specifies the HTTP header containing the username for proxy-based authentication")
 	flags.BoolVar(&rv.Server.NoVerifyUpload, "no-verify-upload", rv.Server.NoVerifyUpload,
 		"do not verify the integrity of uploaded data. DO NOT enable unless the rest-server runs on a very low-power device")
 	flags.BoolVar(&rv.Server.AppendOnly, "append-only", rv.Server.AppendOnly, "enable append only mode")
 	flags.BoolVar(&rv.Server.PrivateRepos, "private-repos", rv.Server.PrivateRepos, "users can only access their private repo")
 	flags.BoolVar(&rv.Server.Prometheus, "prometheus", rv.Server.Prometheus, "enable Prometheus metrics")
 	flags.BoolVar(&rv.Server.PrometheusNoAuth, "prometheus-no-auth", rv.Server.PrometheusNoAuth, "disable auth for Prometheus /metrics endpoint")
+	flags.BoolVar(&rv.Server.GroupAccessibleRepos, "group-accessible-repos", rv.Server.GroupAccessibleRepos, "let filesystem group be able to access repo files")
 
 	return rv
 }
 
-var version = "0.13.0"
+var version = "0.14.0-dev"
 
 func (app *restServerApp) tlsSettings() (bool, string, string, error) {
 	var key, cert string
@@ -129,7 +134,11 @@ func (app *restServerApp) runRoot(_ *cobra.Command, _ []string) error {
 	if app.Server.NoAuth {
 		log.Println("Authentication disabled")
 	} else {
-		log.Println("Authentication enabled")
+		if app.Server.ProxyAuthUsername == "" {
+			log.Println("Authentication enabled")
+		} else {
+			log.Println("Proxy Authentication enabled")
+		}
 	}
 
 	handler, err := restserver.NewHandler(&app.Server)
@@ -149,6 +158,12 @@ func (app *restServerApp) runRoot(_ *cobra.Command, _ []string) error {
 		log.Println("Private repositories disabled")
 	}
 
+	if app.Server.GroupAccessibleRepos {
+		log.Println("Group accessible repos enabled")
+	} else {
+		log.Println("Group accessible repos disabled")
+	}
+
 	enabledTLS, privateKey, publicKey, err := app.tlsSettings()
 	if err != nil {
 		return err
@@ -164,8 +179,29 @@ func (app *restServerApp) runRoot(_ *cobra.Command, _ []string) error {
 	app.listenerAddress = listener.Addr()
 	app.listenerAddressMu.Unlock()
 
+	tlscfg := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		CipherSuites: []uint16{
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+		},
+	}
+	switch app.Server.TLSMinVer {
+	case "1.2":
+		tlscfg.MinVersion = tls.VersionTLS12
+	case "1.3":
+		tlscfg.MinVersion = tls.VersionTLS13
+	default:
+		return fmt.Errorf("unsupported TLS min version: %s. Allowed versions are 1.2 or 1.3", app.Server.TLSMinVer)
+	}
+
 	srv := &http.Server{
-		Handler: handler,
+		Handler:   handler,
+		TLSConfig: tlscfg,
 	}
 
 	// run server in background

cmd/rest-server/main_test.go

@@ -118,6 +118,12 @@ func TestGetHandler(t *testing.T) {
 		t.Errorf("NoAuth=true: expected no error, got %v", err)
 	}
 
+	// With NoAuth = false, no .htpasswd and ProxyAuth = X-Remote-User
+	_, err = getHandler(&restserver.Server{Path: dir, ProxyAuthUsername: "X-Remote-User"})
+	if err != nil {
+		t.Errorf("NoAuth=false, ProxyAuthUsername = X-Remote-User: expected no error, got %v", err)
+	}
+
 	// With NoAuth = false and custom .htpasswd
 	htpFile, err := os.CreateTemp(dir, "custom")
 	if err != nil {

docker/create_user

@@ -9,8 +9,8 @@ fi
 
 if [ -z "$2" ]; then
     # password from prompt
-    htpasswd -B $PASSWORD_FILE $1
+    htpasswd -B "$PASSWORD_FILE" "$1"
 else
     # read password from command line
-    htpasswd -B -b $PASSWORD_FILE $1 $2
+    htpasswd -B -b "$PASSWORD_FILE" "$1" "$2"
 fi

docker/delete_user

@@ -5,4 +5,4 @@ if [ -z "$1" ]; then
     exit 1
 fi
 
-htpasswd -D $PASSWORD_FILE $1
+htpasswd -D "$PASSWORD_FILE" "$1"

docker/entrypoint.sh

@@ -6,7 +6,7 @@ if [ -n "$DISABLE_AUTHENTICATION" ]; then
     OPTIONS="--no-auth $OPTIONS"
 else
     if [ ! -f "$PASSWORD_FILE" ]; then
-        touch "$PASSWORD_FILE"
+        ( umask 027 && touch "$PASSWORD_FILE" )
     fi
 
     if [ ! -s "$PASSWORD_FILE" ]; then

examples/systemd/rest-server.service

@@ -26,8 +26,10 @@ RestartSec=5
 # The following line must be customised to your individual requirements.
 ReadWritePaths=/path/to/backups
 
-# Makes created files group-readable, but inaccessible by others
-UMask=027
+# Files in the data repository are only user accessible by default. Default to
+# `UMask=077` for consistency. To make created files group-readable, set to
+# `UMask=007` and pass `--group-accessible-repos` to rest-server via `ExecStart`.
+UMask=077
 
 # If your system doesn't support all of the features below (e.g. because of
 # the use of an older version of systemd), you may wish to comment-out

go.mod

@@ -1,15 +1,15 @@
 module github.com/restic/rest-server
 
-go 1.22
+go 1.24.0
 
 require (
-	github.com/coreos/go-systemd/v22 v22.5.0
+	github.com/coreos/go-systemd/v22 v22.6.0
 	github.com/gorilla/handlers v1.5.2
 	github.com/minio/sha256-simd v1.0.1
 	github.com/miolini/datacounter v1.0.3
-	github.com/prometheus/client_golang v1.20.5
-	github.com/spf13/cobra v1.9.1
-	golang.org/x/crypto v0.32.0
+	github.com/prometheus/client_golang v1.23.2
+	github.com/spf13/cobra v1.10.2
+	golang.org/x/crypto v0.45.0
 )
 
 require (
@@ -17,13 +17,14 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/klauspost/compress v1.17.9 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 )

go.sum

@@ -2,24 +2,28 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
-github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/go-systemd/v22 v22.6.0 h1:aGVa/v8B7hpb0TKl0MWoAavPDmHvobFe5R5zn0bCJWo=
+github.com/coreos/go-systemd/v22 v22.6.0/go.mod h1:iG+pp635Fo7ZmV/j14KUcmEyWF+0X7Lua8rrTWzYgWU=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
 github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
-github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
 github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/minio/sha256-simd v1.0.1 h1:6kaan5IFmwTNynnKKpDHe6FWHohJOHhCPchzK49dzMM=
@@ -30,27 +34,36 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
-github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
-golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

handlers.go

@@ -15,23 +15,26 @@ import (
 
 // Server encapsulates the rest-server's settings and repo management logic
 type Server struct {
-	Path             string
-	HtpasswdPath     string
-	Listen           string
-	Log              string
-	CPUProfile       string
-	TLSKey           string
-	TLSCert          string
-	TLS              bool
-	NoAuth           bool
-	AppendOnly       bool
-	PrivateRepos     bool
-	Prometheus       bool
-	PrometheusNoAuth bool
-	Debug            bool
-	MaxRepoSize      int64
-	PanicOnError     bool
-	NoVerifyUpload   bool
+	Path                 string
+	HtpasswdPath         string
+	Listen               string
+	Log                  string
+	CPUProfile           string
+	TLSKey               string
+	TLSCert              string
+	TLSMinVer            string
+	TLS                  bool
+	NoAuth               bool
+	ProxyAuthUsername    string
+	AppendOnly           bool
+	PrivateRepos         bool
+	Prometheus           bool
+	PrometheusNoAuth     bool
+	Debug                bool
+	MaxRepoSize          int64
+	PanicOnError         bool
+	NoVerifyUpload       bool
+	GroupAccessibleRepos bool
 
 	htpasswdFile *HtpasswdFile
 	quotaManager *quota.Manager
@@ -88,12 +91,13 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	// Pass the request to the repo.Handler
 	opt := repo.Options{
-		AppendOnly:     s.AppendOnly,
-		Debug:          s.Debug,
-		QuotaManager:   s.quotaManager, // may be nil
-		PanicOnError:   s.PanicOnError,
-		NoVerifyUpload: s.NoVerifyUpload,
-		FsyncWarning:   &s.fsyncWarning,
+		AppendOnly:      s.AppendOnly,
+		Debug:           s.Debug,
+		QuotaManager:    s.quotaManager, // may be nil
+		PanicOnError:    s.PanicOnError,
+		NoVerifyUpload:  s.NoVerifyUpload,
+		FsyncWarning:    &s.fsyncWarning,
+		GroupAccessible: s.GroupAccessibleRepos,
 	}
 	if s.Prometheus {
 		opt.BlobMetricFunc = makeBlobMetricFunc(username, folderPath)

mux.go

@@ -41,10 +41,17 @@ func (s *Server) checkAuth(r *http.Request) (username string, ok bool) {
 	if s.NoAuth {
 		return username, true
 	}
-	var password string
-	username, password, ok = r.BasicAuth()
-	if !ok || !s.htpasswdFile.Validate(username, password) {
-		return "", false
+	if s.ProxyAuthUsername != "" {
+		username = r.Header.Get(s.ProxyAuthUsername)
+		if username == "" {
+			return "", false
+		}
+	} else {
+		var password string
+		username, password, ok = r.BasicAuth()
+		if !ok || !s.htpasswdFile.Validate(username, password) {
+			return "", false
+		}
 	}
 	return username, true
 }
@@ -66,7 +73,7 @@ func (s *Server) wrapMetricsAuth(f http.HandlerFunc) http.HandlerFunc {
 
 // NewHandler returns the master HTTP multiplexer/router.
 func NewHandler(server *Server) (http.Handler, error) {
-	if !server.NoAuth {
+	if !server.NoAuth && server.ProxyAuthUsername == "" {
 		var err error
 		if server.HtpasswdPath == "" {
 			server.HtpasswdPath = filepath.Join(server.Path, ".htpasswd")

mux_test.go

@@ -0,0 +1,80 @@
+package restserver
+
+import (
+	"net/http/httptest"
+	"testing"
+)
+
+func TestCheckAuth(t *testing.T) {
+	tests := []struct {
+		name           string
+		server         *Server
+		requestHeaders map[string]string
+		basicAuth      bool
+		basicUser      string
+		basicPassword  string
+		expectedUser   string
+		expectedOk     bool
+	}{
+		{
+			name: "NoAuth enabled",
+			server: &Server{
+				NoAuth: true,
+			},
+			expectedOk: true,
+		},
+		{
+			name: "Proxy Auth successful",
+			server: &Server{
+				ProxyAuthUsername: "X-Remote-User",
+			},
+			requestHeaders: map[string]string{
+				"X-Remote-User": "restic",
+			},
+			expectedUser: "restic",
+			expectedOk:   true,
+		},
+		{
+			name: "Proxy Auth empty header",
+			server: &Server{
+				ProxyAuthUsername: "X-Remote-User",
+			},
+			requestHeaders: map[string]string{
+				"X-Remote-User": "",
+			},
+			expectedOk: false,
+		},
+		{
+			name: "Proxy Auth missing header",
+			server: &Server{
+				ProxyAuthUsername: "X-Remote-User",
+			},
+			expectedOk: false,
+		},
+		{
+			name:   "Proxy Auth send but not enabled",
+			server: &Server{},
+			requestHeaders: map[string]string{
+				"X-Remote-User": "restic",
+			},
+			expectedOk: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest("GET", "/", nil)
+			for header, value := range tt.requestHeaders {
+				req.Header.Set(header, value)
+			}
+			if tt.basicAuth {
+				req.SetBasicAuth(tt.basicUser, tt.basicPassword)
+			}
+
+			username, ok := tt.server.checkAuth(req)
+			if username != tt.expectedUser || ok != tt.expectedOk {
+				t.Errorf("expected (%v, %v), got (%v, %v)", tt.expectedUser, tt.expectedOk, username, ok)
+			}
+		})
+	}
+}

repo/repo.go

@@ -28,8 +28,6 @@ import (
 type Options struct {
 	AppendOnly     bool // if set, delete actions are not allowed
 	Debug          bool
-	DirMode        os.FileMode
-	FileMode       os.FileMode
 	NoVerifyUpload bool
 
 	// If set, we will panic when an internal server error happens. This
@@ -39,6 +37,13 @@ type Options struct {
 	BlobMetricFunc BlobMetricFunc
 	QuotaManager   *quota.Manager
 	FsyncWarning   *sync.Once
+
+	// If set makes files group accessible
+	GroupAccessible bool
+
+	// Defaults dir and file mode
+	dirMode  os.FileMode
+	fileMode os.FileMode
 }
 
 // DefaultDirMode is the file mode used for directory creation if not
@@ -49,6 +54,14 @@ const DefaultDirMode os.FileMode = 0700
 // overridden in the Options
 const DefaultFileMode os.FileMode = 0600
 
+// GroupAccessibleDirMode is the file mode used for directory creation when
+// group access is enabled
+const GroupAccessibleDirMode os.FileMode = 0770
+
+// GroupAccessibleFileMode is the file mode used for file creation when
+// group access is enabled
+const GroupAccessibleFileMode os.FileMode = 0660
+
 // New creates a new Handler for a single Restic backup repo.
 // path is the full filesystem path to this repo directory.
 // opt is a set of options.
@@ -56,12 +69,15 @@ func New(path string, opt Options) (*Handler, error) {
 	if path == "" {
 		return nil, fmt.Errorf("path is required")
 	}
-	if opt.DirMode == 0 {
-		opt.DirMode = DefaultDirMode
-	}
-	if opt.FileMode == 0 {
-		opt.FileMode = DefaultFileMode
+
+	opt.dirMode = DefaultDirMode
+	opt.fileMode = DefaultFileMode
+
+	if opt.GroupAccessible {
+		opt.dirMode = GroupAccessibleDirMode
+		opt.fileMode = GroupAccessibleFileMode
 	}
+
 	h := Handler{
 		path: path,
 		opt:  opt,
@@ -288,7 +304,7 @@ func (h *Handler) saveConfig(w http.ResponseWriter, r *http.Request) {
 	}
 	cfg := h.getSubPath("config")
 
-	f, err := os.OpenFile(cfg, os.O_CREATE|os.O_WRONLY|os.O_EXCL, h.opt.FileMode)
+	f, err := os.OpenFile(cfg, os.O_CREATE|os.O_WRONLY|os.O_EXCL, h.opt.fileMode)
 	if err != nil && os.IsExist(err) {
 		if h.opt.Debug {
 			log.Print(err)
@@ -554,15 +570,15 @@ func (h *Handler) saveBlob(w http.ResponseWriter, r *http.Request) {
 	}
 
 	tmpFn := filepath.Join(filepath.Dir(path), objectID+".rest-server-temp")
-	tf, err := tempFile(tmpFn, h.opt.FileMode)
+	tf, err := tempFile(tmpFn, h.opt.fileMode)
 	if os.IsNotExist(err) {
 		// the error is caused by a missing directory, create it and retry
-		mkdirErr := os.MkdirAll(filepath.Dir(path), h.opt.DirMode)
+		mkdirErr := os.MkdirAll(filepath.Dir(path), h.opt.dirMode)
 		if mkdirErr != nil {
 			log.Print(mkdirErr)
 		} else {
 			// try again
-			tf, err = tempFile(tmpFn, h.opt.FileMode)
+			tf, err = tempFile(tmpFn, h.opt.fileMode)
 		}
 	}
 	if err != nil {
@@ -759,13 +775,13 @@ func (h *Handler) createRepo(w http.ResponseWriter, r *http.Request) {
 
 	log.Printf("Creating repository directories in %s\n", h.path)
 
-	if err := os.MkdirAll(h.path, h.opt.DirMode); err != nil {
+	if err := os.MkdirAll(h.path, h.opt.dirMode); err != nil {
 		h.internalServerError(w, err)
 		return
 	}
 
 	for _, d := range ObjectTypes {
-		if err := os.Mkdir(filepath.Join(h.path, d), h.opt.DirMode); err != nil && !os.IsExist(err) {
+		if err := os.Mkdir(filepath.Join(h.path, d), h.opt.dirMode); err != nil && !os.IsExist(err) {
 			h.internalServerError(w, err)
 			return
 		}
@@ -773,7 +789,7 @@ func (h *Handler) createRepo(w http.ResponseWriter, r *http.Request) {
 
 	for i := 0; i < 256; i++ {
 		dirPath := filepath.Join(h.path, "data", fmt.Sprintf("%02x", i))
-		if err := os.Mkdir(dirPath, h.opt.DirMode); err != nil && !os.IsExist(err) {
+		if err := os.Mkdir(dirPath, h.opt.dirMode); err != nil && !os.IsExist(err) {
 			h.internalServerError(w, err)
 			return
 		}