Config+Auth: Add flags to log unauthorized requests

networkException · networkException · commit abb462762b01 · 2021-09-11T19:17:00.000+02:00
This patch adds new command line flags in order to support logging of
unauthorized requests to the server. The flag `--log-auth-failure` enables
the logging and uses the remote address of the request as the default for
the logged ip. If the server is used behind a reverse proxy for, `--header-for-ip`
can be used to specify a header like "X-Forwarded-For" to be used for logging
the ip.
diff --git a/README.md b/README.md
@@ -54,23 +54,25 @@ Usage:
   rest-server [flags]
 
 Flags:
-      --append-only          enable append only mode
-      --cpu-profile string   write CPU profile to file
-      --debug                output debug messages
-  -h, --help                 help for rest-server
-      --listen string        listen address (default ":8000")
-      --log string           log HTTP requests in the combined log format
-      --max-size int         the maximum size of the repository in bytes
-      --no-auth              disable .htpasswd authentication
-      --no-verify-upload     do not verify the integrity of uploaded data. DO NOT enable unless the rest-server runs on a very low-power device
-      --path string          data directory (default "/tmp/restic")
-      --private-repos        users can only access their private repo
-      --prometheus           enable Prometheus metrics
-      --prometheus-no-auth   disable auth for Prometheus /metrics endpoint
-      --tls                  turn on TLS support
-      --tls-cert string      TLS certificate path
-      --tls-key string       TLS key path
-  -v, --version              version for rest-server
+      --append-only            enable append only mode
+      --cpu-profile string     write CPU profile to file
+      --debug                  output debug messages
+      --header-for-ip string   use a header to obtain the ip for unauthorized request logging
+  -h, --help                   help for rest-server
+      --listen string          listen address (default ":8000")
+      --log string             log HTTP requests in the combined log format
+      --log-auth-failure       log the ip address of unauthorized requests
+      --max-size int           the maximum size of the repository in bytes
+      --no-auth                disable .htpasswd authentication
+      --no-verify-upload       do not verify the integrity of uploaded data. DO NOT enable unless the rest-server runs on a very low-power device
+      --path string            data directory (default "/tmp/restic")
+      --private-repos          users can only access their private repo
+      --prometheus             enable Prometheus metrics
+      --prometheus-no-auth     disable auth for Prometheus /metrics endpoint
+      --tls                    turn on TLS support
+      --tls-cert string        TLS certificate path
+      --tls-key string         TLS key path
+  -v, --version                version for rest-server
 ```
 
 By default the server persists backup data in `/tmp/restic`.  To start the server with a custom persistence directory and with authentication disabled:
diff --git a/changelog/unreleased/pull-167 b/changelog/unreleased/pull-167
@@ -0,0 +1,11 @@
+Feature: Logging of unauthorized requests
+
+Two new command line flags have been added in order to support logging of
+unauthorized requests to the server. The flag `--log-auth-failure` enables
+the logging and uses the remote address of the request as the default for
+the logged ip. If the server is used behind a reverse proxy for, `--header-for-ip`
+can be used to specify a header like "X-Forwarded-For" to be used for logging
+the ip.
+
+https://github.com/restic/rest-server/pull/167
+https://forum.restic.net/t/rest-server-and-fail2ban/2569
diff --git a/cmd/rest-server/main.go b/cmd/rest-server/main.go
@@ -39,6 +39,8 @@ func init() {
 	flags := cmdRoot.Flags()
 	flags.StringVar(&cpuProfile, "cpu-profile", cpuProfile, "write CPU profile to file")
 	flags.BoolVar(&server.Debug, "debug", server.Debug, "output debug messages")
+	flags.BoolVar(&server.LogAuthFailure, "log-auth-failure", server.LogAuthFailure, "log the ip address of unauthorized requests")
+	flags.StringVar(&server.HeaderForIP, "header-for-ip", server.HeaderForIP, "use a header to obtain the ip for unauthorized request logging")
 	flags.StringVar(&server.Listen, "listen", server.Listen, "listen address")
 	flags.StringVar(&server.Log, "log", server.Log, "log HTTP requests in the combined log format")
 	flags.Int64Var(&server.MaxRepoSize, "max-size", server.MaxRepoSize, "the maximum size of the repository in bytes")
diff --git a/handlers.go b/handlers.go
@@ -27,6 +27,8 @@ type Server struct {
 	Prometheus       bool
 	PrometheusNoAuth bool
 	Debug            bool
+	LogAuthFailure   bool
+	HeaderForIP      string
 	MaxRepoSize      int64
 	PanicOnError     bool
 	NoVerifyUpload   bool
diff --git a/mux.go b/mux.go
@@ -36,6 +36,14 @@ func (s *Server) checkAuth(r *http.Request) (username string, ok bool) {
 	var password string
 	username, password, ok = r.BasicAuth()
 	if !ok || !s.htpasswdFile.Validate(username, password) {
+		if s.LogAuthFailure {
+			if s.HeaderForIP != "" {
+				log.Printf("unauthorized: %s", r.Header.Get(s.HeaderForIP))
+			} else {
+				log.Printf("unauthorized: %s", r.RemoteAddr)
+			}
+		}
+
 		return "", false
 	}
 	return username, true
