computer:ubuntu:restic-backup-docker-hermes

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
computer:ubuntu:restic-backup-docker-hermes [2024/03/01 19:35] – [Service-Unitfile anlegen] springcomputer:ubuntu:restic-backup-docker-hermes [2024/12/15 09:13] (current) – [Restic Backup im Netzwerk] spring
Line 1: Line 1:
 ====== Restic Backup im Netzwerk ====== ====== Restic Backup im Netzwerk ======
-Übersicht über alle Backups: ''http://resticinfo.local''+Übersicht über alle Backups: ''http://resticinfo.spring.private'' 
 + 
 +Idee aus perplexity: 
 + 
 +To protect access to Traefik services from the internet using basic authentication while leaving intranet access unprotected, you can use a combination of Traefik's IPWhiteList middleware and BasicAuth middleware. Here's how to set it up: 
 +Configuration Steps 
 + 
 +    Create a BasicAuth middleware for external access: 
 + 
 +text 
 +<code> 
 +http: 
 +  middlewares: 
 +    basic-auth: 
 +      basicAuth: 
 +        users: 
 +          - "admin:$apr1$h9OxLeY20/5uiXjfPgdRxuFlrfqBf2QifYDgrwsR6rAEgX3/dpOGq" 
 +</code> 
 +    Create an IPWhiteList middleware for internal access: 
 + 
 +text 
 +<code> 
 +http: 
 +  middlewares: 
 +    internal-whitelist: 
 +      ipWhiteList: 
 +        sourceRange: 
 +          - "192.168.0.0/16" 
 +          - "10.0.0.0/8" 
 +          - "172.16.0.0/12" 
 +</code> 
 +    Set up a middleware chain combining both: 
 + 
 +text 
 +<code> 
 +http: 
 +  middlewares: 
 +    secure-chain: 
 +      chain: 
 +        middlewares: 
 +          - internal-whitelist 
 +          - basic-auth 
 +</code> 
 +    Apply the middleware chain to your router: 
 + 
 +text 
 +<code> 
 +http: 
 +  routers: 
 +    my-service: 
 +      rule: "Host(`example.com`)" 
 +      service: "my-service" 
 +      middlewares: 
 +        - secure-chain 
 +</code> 
 +This configuration will allow unrestricted access from the specified internal IP ranges while requiring basic authentication for external access2 
 +
 +
 +Additional Considerations 
 + 
 +    Ensure you replace the example BasicAuth credentials with your own securely hashed passwords1 
 +    5 
 +    . 
 +    Adjust the IP ranges in the IPWhiteList middleware to match your internal network configuration4 
 +    . 
 +    For enhanced security, consider using more robust authentication methods like Authelia or Authentik for external access6 
 +    . 
 + 
 +By implementing this setup, you can effectively protect your Traefik services from unauthorized external access while maintaining convenient internal access within your network. 
 +can the name "basic-auth" in this example be modified or is it fixed? 
 +Sources 
 +Answer 
 +The name "basic-auth" in the example can be modified. It is not a fixed name, but rather a custom identifier for the middleware you're creating1 
 +
 +. You can choose any name you prefer for your middleware, as long as it follows Traefik's naming conventions. For example, you could use names like "my-auth", "custom-basic-auth", or "secure-access"
 +
 +. When defining a middleware, you typically use a structure like: 
 +<code> 
 +text 
 +http: 
 +  middlewares: 
 +    your-chosen-name: 
 +      basicAuth: 
 +        # configuration details 
 +</code> 
 +Just remember to reference the middleware using the name you've chosen when applying it to your routers or services2 
 +
 + 
 +The general format for defining a router in Traefik labels is: 
 + 
 +text 
 +- "traefik.http.routers.<router-name>.rule=<your-rule>" 
 + 
 +Where <router-name> is a custom identifier you choose for your router, and <your-rule> is the routing rule you want to apply. 
 + 
 ===== Restic Server auf hermes ===== ===== Restic Server auf hermes =====
  
Line 20: Line 115:
 After=network-online.target  After=network-online.target 
 Wants=network-online.service Wants=network-online.service
 +StartLimitIntervalSec=6000
 +StartLimitBurst=30
  
 [Service] [Service]
Line 25: Line 122:
 ExecStart=/usr/bin/restic backup --host $HOST --verbose --one-file-system --tag systemd.timer $BACKUP_EXCLUDES $BACKUP_PATHS ExecStart=/usr/bin/restic backup --host $HOST --verbose --one-file-system --tag systemd.timer $BACKUP_EXCLUDES $BACKUP_PATHS
 EnvironmentFile=/root/restic-backup.conf EnvironmentFile=/root/restic-backup.conf
 +Restart=on-failure
 +RestartSec=60
  
 [Install] [Install]
Line 47: Line 146:
  
 ==== Timer anlegen ==== ==== Timer anlegen ====
-sudo systemctl edit --force --full restic-backup.timer+<code>sudo systemctl edit --force --full restic-backup.timer</code>
 <file bash>[Unit] <file bash>[Unit]
 Description=Backup with restic daily Description=Backup with restic daily
Line 301: Line 400:
         - "traefik.enable=true"         - "traefik.enable=true"
         - "traefik.docker.network=proxy"         - "traefik.docker.network=proxy"
-        - "traefik.http.routers.restic-rest.rule=Host(`restic.hermes.markus-spring.info`)" +        - "traefik.http.routers.restic-rest.rule=Host(`restic.meine.domain`)" 
         - "traefik.http.routers.restic-rest.entrypoints=https"         - "traefik.http.routers.restic-rest.entrypoints=https"
         - "traefik.http.routers.restic-rest.tls=true"         - "traefik.http.routers.restic-rest.tls=true"
Line 314: Line 413:
  
 Test auf dem netcup-Server Test auf dem netcup-Server
-  export RESTIC_REPOSITORY="rest:https://user:passwort@restic.hermes.markus-spring.info"+  export RESTIC_REPOSITORY="rest:https://user:passwort@restic.meine.domain"
   restic -v snapshots   restic -v snapshots
   restic -v --exclude-file=/root/restic-exclude.txt backup /home/springm   restic -v --exclude-file=/root/restic-exclude.txt backup /home/springm
  • computer/ubuntu/restic-backup-docker-hermes.1709321707.txt.gz
  • Last modified: 2024/03/01 19:35
  • by spring