Merge e5432fcbfb into d24ffc13d8

2025-10-19 15:43:21 +00:00 · 2022-04-28 17:02:09 +05:30 · 2022-04-28 17:02:09 +05:30 · ffc87dff53
commit ffc87dff53
parent d24ffc13d8 e5432fcbfb
5 changed files with 25 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -36,8 +36,10 @@ Flags:
      --cpu-profile string   write CPU profile to file
      --debug                output debug messages
  -h, --help                 help for rest-server
+      --ip-header string     use a header to obtain the ip for unauthorized request logging
      --listen string        listen address (default ":8000")
      --log string           log HTTP requests in the combined log format
+      --log-auth-failure     log the ip address of unauthorized requests
      --max-size int         the maximum size of the repository in bytes
      --no-auth              disable .htpasswd authentication
      --no-verify-upload     do not verify the integrity of uploaded data. DO NOT enable unless the rest-server runs on a very low-power device
--- a/changelog/unreleased/pull-167
+++ b/changelog/unreleased/pull-167
@ -0,0 +1,11 @@
+Feature: Logging of unauthorized requests
+
+Two new command line flags have been added in order to support logging of
+unauthorized requests to the server. The flag `--log-auth-failure` enables
+the logging and uses the remote address of the request as the default for
+the logged ip. If the server is used behind a reverse proxy for, `--header-for-ip`
+can be used to specify a header like "X-Forwarded-For" to be used for logging
+the ip.
+
+https://github.com/restic/rest-server/pull/167
+https://forum.restic.net/t/rest-server-and-fail2ban/2569
--- a/cmd/rest-server/main.go
+++ b/cmd/rest-server/main.go
@ -39,6 +39,8 @@ func init() {
 	flags := cmdRoot.Flags()
 	flags.StringVar(&cpuProfile, "cpu-profile", cpuProfile, "write CPU profile to file")
 	flags.BoolVar(&server.Debug, "debug", server.Debug, "output debug messages")
+	flags.BoolVar(&server.LogAuthFailure, "log-auth-failure", server.LogAuthFailure, "log the ip address of unauthorized requests")
+	flags.StringVar(&server.IPHeader, "ip-header", server.IPHeader, "use a header to obtain the ip for unauthorized request logging")
 	flags.StringVar(&server.Listen, "listen", server.Listen, "listen address")
 	flags.StringVar(&server.Log, "log", server.Log, "write HTTP requests in the combined log format to the specified `filename`")
 	flags.Int64Var(&server.MaxRepoSize, "max-size", server.MaxRepoSize, "the maximum size of the repository in bytes")
--- a/handlers.go
+++ b/handlers.go
@ -27,6 +27,8 @@ type Server struct {
 	Prometheus       bool
 	PrometheusNoAuth bool
 	Debug            bool
+	LogAuthFailure   bool
+	IPHeader         string
 	MaxRepoSize      int64
 	PanicOnError     bool
 	NoVerifyUpload   bool
--- a/mux.go
+++ b/mux.go
@ -36,6 +36,14 @@ func (s *Server) checkAuth(r *http.Request) (username string, ok bool) {
 	var password string
 	username, password, ok = r.BasicAuth()
 	if !ok || !s.htpasswdFile.Validate(username, password) {
+		if s.LogAuthFailure {
+			if s.IPHeader != "" {
+				log.Printf("unauthorized: %s", r.Header.Get(s.IPHeader))
+			} else {
+				log.Printf("unauthorized: %s", r.RemoteAddr)
+			}
+		}
+
 		return "", false
 	}
 	return username, true