From e5432fcbfb5918e5eba836b6f47c350f2419040b Mon Sep 17 00:00:00 2001 From: networkException Date: Sat, 11 Sep 2021 17:20:14 +0200 Subject: [PATCH] Config+Auth: Add flags to log unauthorized requests This patch adds new command line flags in order to support logging of unauthorized requests to the server. The flag `--log-auth-failure` enables the logging and uses the remote address of the request as the default for the logged ip. If the server is used behind a reverse proxy for, `--ip-header` can be used to specify a header like "X-Forwarded-For" to be used for logging the ip. --- README.md | 2 ++ changelog/unreleased/pull-167 | 11 +++++++++++ cmd/rest-server/main.go | 2 ++ handlers.go | 2 ++ mux.go | 8 ++++++++ 5 files changed, 25 insertions(+) create mode 100644 changelog/unreleased/pull-167 diff --git a/README.md b/README.md index c527dd5a..c0186ab4 100644 --- a/README.md +++ b/README.md @@ -58,8 +58,10 @@ Flags: --cpu-profile string write CPU profile to file --debug output debug messages -h, --help help for rest-server + --ip-header string use a header to obtain the ip for unauthorized request logging --listen string listen address (default ":8000") --log string log HTTP requests in the combined log format + --log-auth-failure log the ip address of unauthorized requests --max-size int the maximum size of the repository in bytes --no-auth disable .htpasswd authentication --no-verify-upload do not verify the integrity of uploaded data. DO NOT enable unless the rest-server runs on a very low-power device diff --git a/changelog/unreleased/pull-167 b/changelog/unreleased/pull-167 new file mode 100644 index 00000000..505e60b0 --- /dev/null +++ b/changelog/unreleased/pull-167 @@ -0,0 +1,11 @@ +Feature: Logging of unauthorized requests + +Two new command line flags have been added in order to support logging of +unauthorized requests to the server. The flag `--log-auth-failure` enables +the logging and uses the remote address of the request as the default for +the logged ip. If the server is used behind a reverse proxy for, `--header-for-ip` +can be used to specify a header like "X-Forwarded-For" to be used for logging +the ip. + +https://github.com/restic/rest-server/pull/167 +https://forum.restic.net/t/rest-server-and-fail2ban/2569 \ No newline at end of file diff --git a/cmd/rest-server/main.go b/cmd/rest-server/main.go index 6cd1f636..8de7ee60 100644 --- a/cmd/rest-server/main.go +++ b/cmd/rest-server/main.go @@ -39,6 +39,8 @@ func init() { flags := cmdRoot.Flags() flags.StringVar(&cpuProfile, "cpu-profile", cpuProfile, "write CPU profile to file") flags.BoolVar(&server.Debug, "debug", server.Debug, "output debug messages") + flags.BoolVar(&server.LogAuthFailure, "log-auth-failure", server.LogAuthFailure, "log the ip address of unauthorized requests") + flags.StringVar(&server.IPHeader, "ip-header", server.IPHeader, "use a header to obtain the ip for unauthorized request logging") flags.StringVar(&server.Listen, "listen", server.Listen, "listen address") flags.StringVar(&server.Log, "log", server.Log, "log HTTP requests in the combined log format") flags.Int64Var(&server.MaxRepoSize, "max-size", server.MaxRepoSize, "the maximum size of the repository in bytes") diff --git a/handlers.go b/handlers.go index 9df6adf8..27b21a43 100644 --- a/handlers.go +++ b/handlers.go @@ -27,6 +27,8 @@ type Server struct { Prometheus bool PrometheusNoAuth bool Debug bool + LogAuthFailure bool + IPHeader string MaxRepoSize int64 PanicOnError bool NoVerifyUpload bool diff --git a/mux.go b/mux.go index 6b4ad4c5..993f1ff4 100644 --- a/mux.go +++ b/mux.go @@ -36,6 +36,14 @@ func (s *Server) checkAuth(r *http.Request) (username string, ok bool) { var password string username, password, ok = r.BasicAuth() if !ok || !s.htpasswdFile.Validate(username, password) { + if s.LogAuthFailure { + if s.IPHeader != "" { + log.Printf("unauthorized: %s", r.Header.Get(s.IPHeader)) + } else { + log.Printf("unauthorized: %s", r.RemoteAddr) + } + } + return "", false } return username, true