Open networkException opened 3 years ago
Thanks for your contribution. I'm however thinking that instead of having a separate flag to turn this feature on, it's better with sane defaults and if needed a way to specify different verbosity in the regular log. The latter could also be used for other things, and we already use that type of thing in restic (the --verbose
option). In other words, instead of adding flags for every thing we want loggable, better to put them in the right verbosity level and use that.
It's unfortunate that we're using -v
for --version
, it would be better if --version
would be its own command instead, like in restic, as opposed to an option. This can be changed though, it's not like a ton of people are depending on the -v
option..
I'm also pondering if the --header-for-ip
shouldn't be renamed --ip-header
or possibly --header-ip
.
I'm not familiar enough with the codebase to refactor the whole logging system to respond to verbosity levels I fear.
As for the flag --ip-header
sounds alright, I will change that
By default, log at least the '401 Unauthorized' error so that we can take automatic action on the server. Currently, there is no way to do this, and it poses a security risk.
What is the purpose of this change? What does it change?
Currently it is not possible to integrate rest-server into a service like fail2ban which prevents brute force login attempts.
This pull request adds new command line flags in order to support logging of unauthorized requests to the server. The flag
--log-auth-failure
enables the logging and uses the remote address of the request as the default for the logged ip. If the server is used behind a reverse proxy for,--header-for-ip
can be used to specify a header like "X-Forwarded-For" to be used for logging the ip.Was the change discussed in an issue or in the forum before?
There was a forum question about fail2ban without an actual solution: https://forum.restic.net/t/rest-server-and-fail2ban/2569
Checklist
changelog/unreleased/
that describes the changes for our users (template here)gofmt
on the code in all commits