restic / rest-server

Rest Server is a high performance HTTP server that implements restic's REST backend API.
BSD 2-Clause "Simplified" License
978 stars 143 forks source link

Config+Auth: Add flags to log unauthorized requests #167

Open networkException opened 3 years ago

networkException commented 3 years ago

What is the purpose of this change? What does it change?

Currently it is not possible to integrate rest-server into a service like fail2ban which prevents brute force login attempts.

This pull request adds new command line flags in order to support logging of unauthorized requests to the server. The flag --log-auth-failure enables the logging and uses the remote address of the request as the default for the logged ip. If the server is used behind a reverse proxy for, --header-for-ip can be used to specify a header like "X-Forwarded-For" to be used for logging the ip.

Was the change discussed in an issue or in the forum before?

There was a forum question about fail2ban without an actual solution: https://forum.restic.net/t/rest-server-and-fail2ban/2569

Checklist

rawtaz commented 3 years ago

Thanks for your contribution. I'm however thinking that instead of having a separate flag to turn this feature on, it's better with sane defaults and if needed a way to specify different verbosity in the regular log. The latter could also be used for other things, and we already use that type of thing in restic (the --verbose option). In other words, instead of adding flags for every thing we want loggable, better to put them in the right verbosity level and use that.

It's unfortunate that we're using -v for --version, it would be better if --version would be its own command instead, like in restic, as opposed to an option. This can be changed though, it's not like a ton of people are depending on the -v option..

I'm also pondering if the --header-for-ip shouldn't be renamed --ip-header or possibly --header-ip.

networkException commented 3 years ago

I'm not familiar enough with the codebase to refactor the whole logging system to respond to verbosity levels I fear.

As for the flag --ip-header sounds alright, I will change that

mozlima commented 1 month ago

By default, log at least the '401 Unauthorized' error so that we can take automatic action on the server. Currently, there is no way to do this, and it poses a security risk.