Merge branch 'master' into 4

README.md

@@ -1,5 +1,5 @@
 # adferrand/backuppc 
-![](https://img.shields.io/badge/tags-4%20latest-lightgrey.svg) [![](https://images.microbadger.com/badges/version/adferrand/backuppc:4.1.3-1.svg) ![](https://images.microbadger.com/badges/image/adferrand/backuppc:4.1.3-1.svg)](https://microbadger.com/images/adferrand/backuppc:4.1.3-1)  
+![](https://img.shields.io/badge/tags-4%20latest-lightgrey.svg) [![](https://images.microbadger.com/badges/version/adferrand/backuppc:4.1.3-2.svg) ![](https://images.microbadger.com/badges/image/adferrand/backuppc:4.1.3-2.svg)](https://microbadger.com/images/adferrand/backuppc:4.1.3-2)  
 ![](https://img.shields.io/badge/tags-3-lightgrey.svg) [![](https://images.microbadger.com/badges/version/adferrand/backuppc:3.3.2.svg) ![](https://images.microbadger.com/badges/image/adferrand/backuppc:3.3.2.svg)](https://microbadger.com/images/adferrand/backuppc:3.3.2)
 
 * [Introduction](#introduction)
@@ -7,6 +7,8 @@
 * [Basic usage](#basic-usage)
 * [Data persistency](#data-persistency)
 	* [POSIX rights](#posix-rights)
+* [UI authentication/authorization](#ui-authenticationauthorization)
+	* [Advanced UI authentication/authorization](#advanced-ui-authenticationauthorization)
 * [UI SSL encryption](#ui-ssl-encryption)
 	* [Self-signed certificate](#self-signed-certificate)
 	* [Advanced SSL use](#advanced-ssl-use)
@@ -94,6 +96,43 @@ docker run \
     adferrand/backuppc  
 ```
 
+## UI authentication/authorization
+
+By default, a single user with admin rights is created during the first start of the container. Its username is *backuppc* and its password is *password*. The credentials are stored in the file `/etc/backuppc/htpasswd` to allow the embedded lighttpd server to handle Basic Authentication, and the Backuppc config variable `$Conf{CgiAdminUsers}` is setted to this username to instruct BackupPC to give it admin rights. 
+
+You can modify the admin user credentials by setting the environment variables `BACKUPPC_WEB_USER (default backuppc)` and `BACKUPPC_WEB_PASSWD (default password)` when creating the container.
+
+The admin user credentials can be modified on an existing container by modifying the relevant environment variables, then re-creating the container. However please note that if you modify the username, you will need to manually remove the old username from the file `/etc/backuppc/htpasswd` in the container after its re-creation.
+
+### Advanced UI authentication/authorization
+
+One may need more advanced authentication/authorization on Backuppc Web UI, for instance several *normal* users allowing operations on backups, and an *admin* user to parameterize BackupPC.
+
+In theses cases, authentication and admin granting must be configured manually.
+* Authentication is configured by providing credentials in the file `/etc/backuppc/htpasswd` of the container. You should use Apache `htpasswd` utility to fill it.
+* All authenticated users are considered as *normal* users if not telling otherwise. Add a username in the `$Conf{CgiAdminUsers}` variable of `/etc/backuppc/config.pl` file to grant this user admin rights.
+* Then default admin user creation is not needed : unset environment variables `BACKUPPC_WEB_USER` and `BACKUPPC_WEB_PASSWD` to avoid adding an additional user in the `htpasswd` file, and reconfigure admin rights in `config.pl`.
+
+For instance, with two *normal* users `user1` and `user2` + one *admin* user `admin`, you can do the following steps on the host. It is assumed that `/etc/backuppc` is mounted on `/var/docker-data/backuppc/etc` on the host and Apache `htpasswd` utility is installed on it.
+
+```bash
+htpasswd -b -c /var/docker-data/backuppc/etc/htpasswd admin admin_password
+htpasswd -b /var/docker-data/backuppc/etc/htpasswd user1 user1_password
+htpasswd -b /var/docker-data/backuppc/etc/htpasswd user2 user2_password
+sed -ie "s/^\$Conf{CgiAdminUsers}\s*=\s*'\w*'/\$Conf{CgiAdminUsers} = 'admin'/g" \
+    /var/docker-data/backuppc/etc/config.pl
+
+docker run \
+    --name backuppc \
+    --publish 80:8080 \
+    --volume /var/docker-data/backuppc/etc:/etc/backuppc \
+    --volume /var/docker-data/backuppc/home:/home/backuppc \
+    --volume /var/docker-data/backuppc/data:/data/backuppc \
+    adferrand/backuppc  
+```
+
+Please note that Basic Authentication is still done unencrypted on HTTP port. See [UI SSL encryption](#ui-ssl-encryption) to secure the authentication.
+
 ## UI SSL encryption
 
 By default, BackupPC Admin Web UI is exposed on the non secured HTTP protocol. Two advised ways to secure this are proposed.

VERSION

@@ -1 +1 @@
-4.1.3-1
+4.1.3-2

files/entrypoint.sh

@@ -20,6 +20,17 @@ if [ -f /firstrun ]; then
 	tar xf BackupPC-$BACKUPPC_VERSION.tar.gz
 	cd /root/BackupPC-$BACKUPPC_VERSION
 
+	# Configure WEB UI access
+	configure_admin=""
+	if [ ! -f /etc/backuppc/htpasswd ]; then
+		htpasswd -b -c /etc/backuppc/htpasswd "${BACKUPPC_WEB_USER:-backuppc}" "${BACKUPPC_WEB_PASSWD:-password}"
+		configure_admin="--config-override CgiAdminUsers='${BACKUPPC_WEB_USER:-backuppc}'"
+	elif [ -n "$BACKUPPC_WEB_USER" -a -n "$BACKUPPC_WEB_PASSWD" ]; then
+		touch /etc/backuppc/htpasswd
+		htpasswd -b /etc/backuppc/htpasswd "${BACKUPPC_WEB_USER}" "${BACKUPPC_WEB_PASSWD}"
+		configure_admin="--config-override CgiAdminUsers='$BACKUPPC_WEB_USER'"
+	fi
+
 	# Install BackupPC (existing configuration will be reused and upgraded)
 	perl configure.pl \
 		--batch \
@@ -30,10 +41,7 @@ if [ -f /firstrun ]; then
 		--html-dir /var/www/html/BackupPC \
 		--html-dir-url /BackupPC \
 		--install-dir /usr/local/BackupPC \
-		--config-override CgiAdminUsers="'${BACKUPPC_WEB_USER:-backuppc}'"
-
-	# Configure WEB UI access
-	htpasswd -b -c /etc/backuppc/htpasswd ${BACKUPPC_WEB_USER:-backuppc} ${BACKUPPC_WEB_PASSWD:-password}
+		$configure_admin
 
 	# Prepare lighttpd
 	if [ "$USE_SSL" = true ]; then