You can start the server with the following command:
rustic-server serveBy default the server persists backup data in the OS temporary directory
(/tmp/rustic on Linux/BSD and others, in %TEMP%\\rustic in Windows, etc).
If rustic-server is launched using the default path, all backups will be
lost. To start the server with a custom persistence directory and with
authentication disabled:
rustic-server --path /user/home/backup --no-authrustic-server uses exactly the same directory structure as local backend, so
you should be able to access it both locally and via HTTP, even simultaneously.
To authenticate users (for access to the rustic-server), the server supports
using a .htpasswd file to specify users. By default, the server looks for this
file at the root of the persistence directory, but this can be changed using the
--htpasswd-file option. You can create such a file by executing the following
command (note that you need the htpasswd program from Apache's http-tools). In
order to append new user to the file, just omit the -c argument. Only bcrypt
and SHA encryption methods are supported, so use -B (very secure) or -s
(insecure by today's standards) when adding/changing passwords.
htpasswd -B -c .htpasswd usernameIf you want to disable authentication, you must add the --no-auth flag. If
this flag is not specified and the .htpasswd cannot be opened, rustic-server
will refuse to start.
By default the server uses HTTP protocol. This is not very secure since with
Basic Authentication, user name and passwords will be sent in clear text in
every request. In order to enable TLS support just add the --tls argument and
specify private and public keys by --tls-cert and --tls-key.
Signed certificate is normally required by restic and rustic, but if you
just want to test the feature you can generate password-less unsigned keys with
the following command:
openssl req -newkey rsa:2048 -nodes -x509 -keyout private_key -out public_key -days 365 -addext "subjectAltName = IP:127.0.0.1,DNS:yourdomain.com"Omit the IP:127.0.0.1 if you don't need your server be accessed via SSH
Tunnels. No need to change default values in the openssl dialog, hitting enter
every time is sufficient.
To access this server via restic use --cacert public_key, meaning with a
self-signed certificate you have to distribute your public_key file to every
restic client.
To prevent your users from accessing each others' repositories, you may use the
--private-repos flag in combination with an ACL file.
This server supports ACLs to restrict access to repositories. The ACL file is
formatted in TOML and can be specified using the --acl-path option. More
information about the ACL file format can be found in the acl.toml file in the
config directory. If the ACL file is not specified, the server will allow all
users to access all repositories.
For example, user "foo" using the repository URLs
rest:https://foo:pass@host:8000/foo or rest:https://foo:pass@host:8000/foo/
would be granted access, but the same user using repository URLs
rest:https://foo:pass@host:8000/ or rest:https://foo:pass@host:8000/foobar/
would be denied access. Users can also create their own sub repositories, like
/foo/bar/.
The --append-only mode allows creation of new backups but prevents deletion
and modification of existing backups. This can be useful when backing up systems
that have a potential of being hacked.
This project is based on the rest-server project by restic. This document is based on the README.md of the rest-server project.