Restic REST server architecture

simon commented

2020-12-28 16:36:46 +01:00

Owner

In the future I want to switch to a restic rest-server instance for backups instead of an s3-compatible backend (wasabi).

This has multiple advantages:

Prune for all systems can be done locally on the server (faster, since it does not have to upload it over a slow uplink (< 40 Mbit/s)
Faster restore (I can physically transfer the server (or its drives) to another location or export the data from it to a physical drive and don’t have to download 1TiB+ over a somewhat slow (< 100 Mbit/s) connection
Possibly better protection against malicious systems (append-only mode, see below for problems)

Possible implementations

TODO for some of them:

Does restic support digest auth for rest server?

Two instances

One instance provides append-only access
- Available via nginx over http with digest auth (by nginx)
One instance provides full access
- Available via nginx over https with basic auth (probably by nginx)

Problems

NixOS has no option to run multiple instances simultaneously
- Possible workaround: run append-only service in nixos container
Does running two intances even work (reliably)?

No append-only mode, HTTPS

Only run full access instance (with basic auth over HTTPS).

Problems

Allows attacker that can read credentials to purge backups.

Nginx as API filter

Rest-server runs without restrictions or authentication
Nginx offers two virtual hosts (or similar):
- Full access with basic auth over https
- Limited access with digest auth over http
  - Filters DELETE methods (return 403)
  - TODO: find out if blocking GET {path}/{type}/{name} requests is also possible

Nginx as API filter, but slower

Like Nginx as API filter, except that the limited access is provided via https and authentication happens with basic auth.

rest server api docs: https://restic.readthedocs.io/en/stable/100_references.html#rest-backend

Combined with other method: VPN instead of HTTPS

To make this work well, the host running the rest server should be added as peer to the wireguard tunnel, so traffic to it will be routed directly (and not via my slow home network).

In the future I want to switch to a restic rest-server instance for backups instead of an s3-compatible backend (wasabi). This has multiple advantages: * Prune for all systems can be done locally on the server (faster, since it does not have to upload it over a slow uplink (< 40 Mbit/s) * Faster restore (I can physically transfer the server (or its drives) to another location or export the data from it to a physical drive and don’t have to download 1TiB+ over a somewhat slow (< 100 Mbit/s) connection * Possibly better protection against malicious systems (append-only mode, see below for problems) ## Possible implementations TODO for some of them: - [ ] Does restic support digest auth for rest server? ### Two instances * One instance provides append-only access + Available via nginx over http with digest auth (by nginx) * One instance provides full access + Available via nginx over https with basic auth (probably by nginx) #### Problems * NixOS has no option to run multiple instances simultaneously + Possible workaround: run append-only service in nixos container * Does running two intances even work (reliably)? ### No append-only mode, HTTPS Only run full access instance (with basic auth over HTTPS). #### Problems * Allows attacker that can read credentials to purge backups. ### Nginx as API filter * Rest-server runs without restrictions or authentication * Nginx offers two virtual hosts (or similar): + Full access with basic auth over https + Limited access with digest auth over http - Filters `DELETE` methods (`return 403`) - [ ] TODO: find out if blocking `GET {path}/{type}/{name}` requests is also possible ### Nginx as API filter, but slower Like *Nginx as API filter*, except that the limited access is provided via http**s** and authentication happens with basic auth. rest server api docs: https://restic.readthedocs.io/en/stable/100_references.html#rest-backend ### Combined with other method: VPN instead of HTTPS To make this work well, the host running the rest server should be added as peer to the wireguard tunnel, so traffic to it will be routed directly (and not via my slow home network).

~~simon referenced this issue 2021-01-06 23:00:49 +01:00~~

Add ayu (Odroid HC4 backup server) #10

simon added the

type

question

blocked by/testing needed

affects/style

labels 2021-01-31 22:33:03 +01:00

simon commented

2021-03-01 18:14:15 +01:00

Author

Owner

Closing, since I will use it only for huge files, not for all backups. Using rest-server’s integrated .htpasswd authentication is okay for that scenario.

simon closed this issue

2021-03-01 18:14:16 +01:00

simon added

resolution

wontfix

affects/security

and removed

blocked by/testing needed

labels 2021-03-01 18:14:48 +01:00