From abb1b05519a464564efdec2e700a3d7ca9e5d73e Mon Sep 17 00:00:00 2001 From: Christoph Roeder Date: Thu, 8 Jun 2017 13:20:45 +0200 Subject: [PATCH 1/8] do not overwrite existing htpasswd --- files/entrypoint.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/files/entrypoint.sh b/files/entrypoint.sh index ebc2c82..049b205 100755 --- a/files/entrypoint.sh +++ b/files/entrypoint.sh @@ -33,7 +33,9 @@ if [ -f /firstrun ]; then --config-override CgiAdminUsers="'${BACKUPPC_WEB_USER:-backuppc}'" # Configure WEB UI access - htpasswd -b -c /etc/backuppc/htpasswd ${BACKUPPC_WEB_USER:-backuppc} ${BACKUPPC_WEB_PASSWD:-password} + if [ ! -f /etc/backuppc/htpasswd ]; then + htpasswd -b -c /etc/backuppc/htpasswd ${BACKUPPC_WEB_USER:-backuppc} ${BACKUPPC_WEB_PASSWD:-password} + fi # Prepare lighttpd if [ "$USE_SSL" = true ]; then @@ -59,8 +61,8 @@ if [ -f /firstrun ]; then echo "host ${SMTP_HOST:-mail.example.org}" >> /etc/msmtprc echo "auto_from on" >> /etc/msmtprc if [ "${SMTP_MAIL_DOMAIN:-}" != "" ]; then - echo "maildomain ${SMTP_MAIL_DOMAIN}" >> /etc/msmtprc - fi + echo "maildomain ${SMTP_MAIL_DOMAIN}" >> /etc/msmtprc + fi # Clean rm -rf /root/BackupPC-$BACKUPPC_VERSION.tar.gz /root/BackupPC-$BACKUPPC_VERSION /firstrun From 7b994d5fefb81bb0dceca5c93a730614225bbd8e Mon Sep 17 00:00:00 2001 From: Christoph Roeder Date: Thu, 8 Jun 2017 14:50:09 +0200 Subject: [PATCH 2/8] keep htpasswd if no env vars given and create a new one when not exist --- files/entrypoint.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/files/entrypoint.sh b/files/entrypoint.sh index 049b205..ea53f8e 100755 --- a/files/entrypoint.sh +++ b/files/entrypoint.sh @@ -34,7 +34,11 @@ if [ -f /firstrun ]; then # Configure WEB UI access if [ ! -f /etc/backuppc/htpasswd ]; then - htpasswd -b -c /etc/backuppc/htpasswd ${BACKUPPC_WEB_USER:-backuppc} ${BACKUPPC_WEB_PASSWD:-password} + htpasswd -b -c /etc/backuppc/htpasswd "${BACKUPPC_WEB_USER:-backuppc}" "${BACKUPPC_WEB_PASSWD:-password}" + + elif [ -n "$BACKUPPC_WEB_USER" -a -n "$BACKUPPC_WEB_PASSWD" ]; then + touch /etc/backuppc/htpasswd + htpasswd -b /etc/backuppc/htpasswd "${BACKUPPC_WEB_USER}" "${BACKUPPC_WEB_PASSWD}" fi # Prepare lighttpd From 753f7c9100ba34f72e3e74520b2fa5373fd7fb14 Mon Sep 17 00:00:00 2001 From: Adrien Ferrand Date: Thu, 8 Jun 2017 17:11:10 +0200 Subject: [PATCH 3/8] Create README.md --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 9a7d47e..b4e67f3 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,12 @@ docker run \ adferrand/backuppc ``` +## UI Authentication + +By default, a single user with admin rights is created during the first start of the container. Its username is *backuppc* and its password is *password*. You can modify this by setting the environment variables `BACKUPPC_WEB_USER (default backuppc)` and `BACKUPPC_WEB_PASSWD (default password)` when creating the container. + +This admin user can be modified on an existing container by modifying the relevant environment variables, then re-creating the container. However please note that if you modify the username, you will need to manually remove the old username from the file `/etc/backuppc/htpasswd` in the container after its re-creation. + ## UI SSL encryption By default, BackupPC Admin Web UI is exposed on the non secured HTTP protocol. Two advised ways to secure this are proposed. From 9874f3cd6f7907f72ca05449c0627ec64a9b7b4a Mon Sep 17 00:00:00 2001 From: Adrien Ferrand Date: Thu, 8 Jun 2017 17:18:27 +0200 Subject: [PATCH 4/8] Create README.md --- README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b4e67f3..6853f6e 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ * [Basic usage](#basic-usage) * [Data persistency](#data-persistency) * [POSIX rights](#posix-rights) +* [UI authentication/authorization](#ui-authenticationauthorization) * [UI SSL encryption](#ui-ssl-encryption) * [Self-signed certificate](#self-signed-certificate) * [Advanced SSL use](#advanced-ssl-use) @@ -94,11 +95,13 @@ docker run \ adferrand/backuppc ``` -## UI Authentication +## UI authentication/authorization -By default, a single user with admin rights is created during the first start of the container. Its username is *backuppc* and its password is *password*. You can modify this by setting the environment variables `BACKUPPC_WEB_USER (default backuppc)` and `BACKUPPC_WEB_PASSWD (default password)` when creating the container. +By default, a single user with admin rights is created during the first start of the container. Its username is *backuppc* and its password is *password*. The credentials are stored in the file `/etc/backuppc/htpasswd` to allow the embedded lighttpd server to handle Basic Authentication, and the Backuppc config variable `$Conf{CgiAdminUsers}` is setted to this username to instruct Backuppc to give it admin rights. -This admin user can be modified on an existing container by modifying the relevant environment variables, then re-creating the container. However please note that if you modify the username, you will need to manually remove the old username from the file `/etc/backuppc/htpasswd` in the container after its re-creation. +You can modify the admin user credentials by setting the environment variables `BACKUPPC_WEB_USER (default backuppc)` and `BACKUPPC_WEB_PASSWD (default password)` when creating the container. + +The admin user credentials can be modified on an existing container by modifying the relevant environment variables, then re-creating the container. However please note that if you modify the username, you will need to manually remove the old username from the file `/etc/backuppc/htpasswd` in the container after its re-creation. ## UI SSL encryption From 7483c2a615e36bc53f525bef059b4f932fa6d6dd Mon Sep 17 00:00:00 2001 From: Christoph Roeder Date: Thu, 8 Jun 2017 17:52:12 +0200 Subject: [PATCH 5/8] override CgiAdminUsers only for new installations or env vars set env vars BACKUPPC_WEB_USER and BACKUPPC_WEB_PASSWD must be set --- files/entrypoint.sh | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/files/entrypoint.sh b/files/entrypoint.sh index ea53f8e..3269b85 100755 --- a/files/entrypoint.sh +++ b/files/entrypoint.sh @@ -20,6 +20,20 @@ if [ -f /firstrun ]; then tar xf BackupPC-$BACKUPPC_VERSION.tar.gz cd /root/BackupPC-$BACKUPPC_VERSION + # Configure WEB UI access + configure_admin="" + if [ ! -f /etc/backuppc/htpasswd ]; then + htpasswd -b -c /etc/backuppc/htpasswd "${BACKUPPC_WEB_USER:-backuppc}" "${BACKUPPC_WEB_PASSWD:-password}" + + configure_admin="--config-override CgiAdminUsers='${BACKUPPC_WEB_USER:-backuppc}'" + + elif [ -n "$BACKUPPC_WEB_USER" -a -n "$BACKUPPC_WEB_PASSWD" ]; then + touch /etc/backuppc/htpasswd + htpasswd -b /etc/backuppc/htpasswd "${BACKUPPC_WEB_USER}" "${BACKUPPC_WEB_PASSWD}" + + configure_admin="--config-override CgiAdminUsers='$BACKUPPC_WEB_USER'" + fi + # Install BackupPC (existing configuration will be reused and upgraded) perl configure.pl \ --batch \ @@ -30,16 +44,7 @@ if [ -f /firstrun ]; then --html-dir /var/www/html/BackupPC \ --html-dir-url /BackupPC \ --install-dir /usr/local/BackupPC \ - --config-override CgiAdminUsers="'${BACKUPPC_WEB_USER:-backuppc}'" - - # Configure WEB UI access - if [ ! -f /etc/backuppc/htpasswd ]; then - htpasswd -b -c /etc/backuppc/htpasswd "${BACKUPPC_WEB_USER:-backuppc}" "${BACKUPPC_WEB_PASSWD:-password}" - - elif [ -n "$BACKUPPC_WEB_USER" -a -n "$BACKUPPC_WEB_PASSWD" ]; then - touch /etc/backuppc/htpasswd - htpasswd -b /etc/backuppc/htpasswd "${BACKUPPC_WEB_USER}" "${BACKUPPC_WEB_PASSWD}" - fi + $configure_admin # Prepare lighttpd if [ "$USE_SSL" = true ]; then From e502d5b46efdddacdd874d9c4ffc07afd4f452b8 Mon Sep 17 00:00:00 2001 From: Adrien Ferrand Date: Thu, 8 Jun 2017 21:08:28 +0200 Subject: [PATCH 6/8] Version 4.1.3-2, with updated documentation about authentication. --- README.md | 30 +++++++++++++++++++++++++++++- VERSION | 2 +- files/entrypoint.sh | 3 --- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 6853f6e..2ece234 100644 --- a/README.md +++ b/README.md @@ -97,12 +97,40 @@ docker run \ ## UI authentication/authorization -By default, a single user with admin rights is created during the first start of the container. Its username is *backuppc* and its password is *password*. The credentials are stored in the file `/etc/backuppc/htpasswd` to allow the embedded lighttpd server to handle Basic Authentication, and the Backuppc config variable `$Conf{CgiAdminUsers}` is setted to this username to instruct Backuppc to give it admin rights. +By default, a single user with admin rights is created during the first start of the container. Its username is *backuppc* and its password is *password*. The credentials are stored in the file `/etc/backuppc/htpasswd` to allow the embedded lighttpd server to handle Basic Authentication, and the Backuppc config variable `$Conf{CgiAdminUsers}` is setted to this username to instruct BackupPC to give it admin rights. You can modify the admin user credentials by setting the environment variables `BACKUPPC_WEB_USER (default backuppc)` and `BACKUPPC_WEB_PASSWD (default password)` when creating the container. The admin user credentials can be modified on an existing container by modifying the relevant environment variables, then re-creating the container. However please note that if you modify the username, you will need to manually remove the old username from the file `/etc/backuppc/htpasswd` in the container after its re-creation. +### Advanced UI authentication/authorization + +One may need more advanced authentication/authorization on Backuppc Web UI, for instance several *normal* users allowing operations on backups, and an *admin* user to parameterize BackupPC. + +In theses cases, authentication and admin granting must be configured manually. +* Authentication is configured by providing credentials in the file `/etc/backuppc/htpasswd` of the container. You should use Apache `htpasswd` utility to fill it. +* All authenticated users are considered as *normal* users if not telling otherwise. Add a username in the `$Conf{CgiAdminUsers}` variable of `/etc/backuppc/config.pl` file to grant this user admin rights. +* Then default admin user creation is not needed : unset environment variables `BACKUPPC_WEB_USER` and `BACKUPPC_WEB_PASSWD` to avoid adding an additional user in the `htpasswd` file, and reconfigure admin rights in `config.pl`. + +For instance, with two *normal* users `user1` and `user2` + one *admin* user `admin`, you can do the following steps on the host. It is assumed that `/etc/backuppc` is mounted on `/var/docker-data/backuppc/etc` on the host and Apache `htpasswd` utility is installed on it. + +```bash +htpasswd -b -c /var/docker-data/backuppc/etc/htpasswd admin admin_password +htpasswd -b /var/docker-data/backuppc/etc/htpasswd user1 user1_password +htpasswd -b /var/docker-data/backuppc/etc/htpasswd user2 user2_password +sed -ie "s/^\$Conf{CgiAdminUsers}\s*=\s*'\w*'/\$Conf{CgiAdminUsers} = 'admin'/g" /var/docker-data/backuppc/etc/config.pl + +docker run \ + --name backuppc \ + --publish 80:8080 \ + --volume /var/docker-data/backuppc/etc:/etc/backuppc \ + --volume /var/docker-data/backuppc/home:/home/backuppc \ + --volume /var/docker-data/backuppc/data:/data/backuppc \ + adferrand/backuppc +``` + +Please note that Basic Authentication is still done unencrypted on HTTP port. See [UI SSL encryption](#ui-ssl-encryption) to secure the authentication. + ## UI SSL encryption By default, BackupPC Admin Web UI is exposed on the non secured HTTP protocol. Two advised ways to secure this are proposed. diff --git a/VERSION b/VERSION index 2325db4..2c24d54 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -4.1.3-1 +4.1.3-2 diff --git a/files/entrypoint.sh b/files/entrypoint.sh index 3269b85..cc80440 100755 --- a/files/entrypoint.sh +++ b/files/entrypoint.sh @@ -24,13 +24,10 @@ if [ -f /firstrun ]; then configure_admin="" if [ ! -f /etc/backuppc/htpasswd ]; then htpasswd -b -c /etc/backuppc/htpasswd "${BACKUPPC_WEB_USER:-backuppc}" "${BACKUPPC_WEB_PASSWD:-password}" - configure_admin="--config-override CgiAdminUsers='${BACKUPPC_WEB_USER:-backuppc}'" - elif [ -n "$BACKUPPC_WEB_USER" -a -n "$BACKUPPC_WEB_PASSWD" ]; then touch /etc/backuppc/htpasswd htpasswd -b /etc/backuppc/htpasswd "${BACKUPPC_WEB_USER}" "${BACKUPPC_WEB_PASSWD}" - configure_admin="--config-override CgiAdminUsers='$BACKUPPC_WEB_USER'" fi From 11a440c9899018a5bf9d8ae31f6d7b7b1233073e Mon Sep 17 00:00:00 2001 From: Adrien Ferrand Date: Thu, 8 Jun 2017 21:10:37 +0200 Subject: [PATCH 7/8] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2ece234..042aac2 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ * [Data persistency](#data-persistency) * [POSIX rights](#posix-rights) * [UI authentication/authorization](#ui-authenticationauthorization) + * [Advanced UI authentication/authorization](#advanced-ui-authenticationauthorization) * [UI SSL encryption](#ui-ssl-encryption) * [Self-signed certificate](#self-signed-certificate) * [Advanced SSL use](#advanced-ssl-use) @@ -118,7 +119,8 @@ For instance, with two *normal* users `user1` and `user2` + one *admin* user `ad htpasswd -b -c /var/docker-data/backuppc/etc/htpasswd admin admin_password htpasswd -b /var/docker-data/backuppc/etc/htpasswd user1 user1_password htpasswd -b /var/docker-data/backuppc/etc/htpasswd user2 user2_password -sed -ie "s/^\$Conf{CgiAdminUsers}\s*=\s*'\w*'/\$Conf{CgiAdminUsers} = 'admin'/g" /var/docker-data/backuppc/etc/config.pl +sed -ie "s/^\$Conf{CgiAdminUsers}\s*=\s*'\w*'/\$Conf{CgiAdminUsers} = 'admin'/g" \ + /var/docker-data/backuppc/etc/config.pl docker run \ --name backuppc \ From 1e8caccfc09a88ea1c62153d5c0397d3e2458544 Mon Sep 17 00:00:00 2001 From: Adrien Ferrand Date: Thu, 8 Jun 2017 21:11:08 +0200 Subject: [PATCH 8/8] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 042aac2..e9a1c3c 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # adferrand/backuppc -![](https://img.shields.io/badge/tags-4%20latest-lightgrey.svg) [![](https://images.microbadger.com/badges/version/adferrand/backuppc:4.1.3-1.svg) ![](https://images.microbadger.com/badges/image/adferrand/backuppc:4.1.3-1.svg)](https://microbadger.com/images/adferrand/backuppc:4.1.3-1) +![](https://img.shields.io/badge/tags-4%20latest-lightgrey.svg) [![](https://images.microbadger.com/badges/version/adferrand/backuppc:4.1.3-2.svg) ![](https://images.microbadger.com/badges/image/adferrand/backuppc:4.1.3-2.svg)](https://microbadger.com/images/adferrand/backuppc:4.1.3-2) ![](https://img.shields.io/badge/tags-3-lightgrey.svg) [![](https://images.microbadger.com/badges/version/adferrand/backuppc:3.3.2.svg) ![](https://images.microbadger.com/badges/image/adferrand/backuppc:3.3.2.svg)](https://microbadger.com/images/adferrand/backuppc:3.3.2) * [Introduction](#introduction)