Qnap [ Restic Server ] [ 0.11 ] Rest Server is a high performance HTTP server

QoolBox

QoolBox

Représentant QNAP
2 Janvier 2014
10 559
163
153
50
France
www.qnap.com
qpkg_icon_80.gif


Source : https://github.com/restic/rest-server

Download :

https://www.myqnap.org/product/rest-server/

Rest Server is a high performance HTTP server that implements restic's REST backend API. It provides secure and efficient way to backup data remotely, using restic backup client via the rest: URL.

Note :

QPKG Listen by default on port 12000 (for rest:// )
backup set in a share call ResticBackup created automatically on first start)
no auth , no private server by default (please change /opt/ResticServer/ResticServer.sh according your needs)
rest-server command line added to $PATH as well

Commande line option :

Code: 
rest-server --help

Run a REST server for use with restic

Usage:
rest-server [flags]

Flags:
--append-only enable append only mode
--cpu-profile string write CPU profile to file
--debug output debug messages
-h, --help help for rest-server
--listen string listen address (default ":8000")
--log string log HTTP requests in the combined log format
--no-auth disable .htpasswd authentication
--path string data directory (default "/tmp/restic")
--private-repos users can only access their private repo
--prometheus enable Prometheus metrics
--tls turn on TLS support
--tls-cert string TLS certificate path
--tls-key string TLS key path
-V, --version show version and quit
 
Dernière édition:

Changelog for rest-server 0.11.0 (2022-02-10)​

The following sections list the changes in rest-server 0.11.0 relevant to users. The changes are ordered by importance.

Summary​

  • Sec #131: Prevent loading of usernames containing a slash
  • Fix #119: Fix Docker configuration for DISABLE_AUTHENTICATION
  • Fix #142: Fix possible data loss due to interrupted network connections
  • Fix #157: Use platform-specific temporary directory as default data directory
  • Fix #155: Reply "insufficient storage" on disk full or over-quota
  • Chg #146: Build rest-server at docker container build time
  • Chg #112: Add subrepo support and refactor server code
  • Enh #122: Verify uploaded files
  • Enh #126: Allow running rest-server via systemd socket activation
  • Enh #148: Expand use of security features in example systemd unit file

Details​

  • Security #131: Prevent loading of usernames containing a slash
    "/" is valid char in HTTP authorization headers, but is also used in rest-server to map usernames to private repos.
    This commit prevents loading maliciously composed usernames like "/foo/config" by restricting the allowed characters to the unicode character class, numbers, "-", "." and "@".
    This prevents requests to other users files like:
    Curl -v -X DELETE -u foo/config:attack http://localhost:8000/foo/config
    #131 #132 #137
  • Bugfix #119: Fix Docker configuration for DISABLE_AUTHENTICATION
    Rest-server 0.10.0 introduced a regression which caused the DISABLE_AUTHENTICATION environment variable to stop working for the Docker container. This has been fixed by automatically setting the option --no-auth to disable authentication.
    #119 #124
  • Bugfix #142: Fix possible data loss due to interrupted network connections
    When rest-server was run without --append-only it was possible to lose uploaded files in a specific scenario in which a network connection was interrupted.
    For the data loss to occur a file upload by restic would have to be interrupted such that restic notices the interrupted network connection before the rest-server. Then restic would have to retry the file upload and finish it before the rest-server notices that the initial upload has failed. Then the uploaded file would be accidentally removed by rest-server when trying to cleanup the failed upload.
    This has been fixed by always uploading to a temporary file first which is moved in position only once it was uploaded completely.
    #142
  • Bugfix #157: Use platform-specific temporary directory as default data directory
    If no data directory is specificed, then rest-server now uses the Go standard library functions to retrieve the standard temporary directory path for the current platform.
    #157 #158
  • Bugfix #155: Reply "insufficient storage" on disk full or over-quota
    When there was no space left on disk, or any other write-related error occurred, rest-server replied with HTTP status code 400 (Bad request). This is misleading (restic client will dump the status code to the user).
    Rest-server now replies with two different status codes in these situations: * HTTP 507 "Insufficient storage" is the status on disk full or repository over-quota * HTTP 500 "Internal server error" is used for other disk-related errors
    #155 #160
  • Change #146: Build rest-server at docker container build time
    The Dockerfile now includes a build stage such that the latest rest-server is always built and packaged. This is done in a standard golang container to ensure a clean build environment and only the final binary is shipped rather than the whole build environment.
    #146 #145
  • Change #112: Add subrepo support and refactor server code
    Support for multi-level repositories has been added, so now each user can have its own subrepositories. This feature is always enabled.
    Authentication for the Prometheus /metrics endpoint can now be disabled with the new --prometheus-no-auth flag.
    We have split out all HTTP handling to a separate repo subpackage to cleanly separate the server code from the code that handles a single repository. The new RepoHandler also makes it easier to reuse rest-server as a Go component in any other HTTP server.
    The refactoring makes the code significantly easier to follow and understand, which in turn makes it easier to add new features, audit for security and debug issues.
    #109 #107 #112
  • Enhancement #122: Verify uploaded files
    The rest-server now by default verifies that the hash of content of uploaded files matches their filename. This ensures that transmission errors are detected and forces restic to retry the upload. On low-power devices it can make sense to disable this check by passing the --no-verify-upload flag.
    #122 #130
  • Enhancement #126: Allow running rest-server via systemd socket activation
    We've added the option to have systemd create the listening socket and start the rest-server on demand.
    #126 #151 #127
  • Enhancement #148: Expand use of security features in example systemd unit file
    The example systemd unit file now enables additional systemd features to mitigate potential security vulnerabilities in rest-server and the various packages and operating system components which it relies upon.
    #148 #149
Cliquez pour agrandir...
 
Vous devez vous connecter ou vous enregistrer pour répondre ici.
Haut Bas
Retour