restic · networkException · Sep 11, 2021
diff --git a/README.md b/README.md
@@ -58,8 +58,10 @@ Flags:
       --cpu-profile string   write CPU profile to file
       --debug                output debug messages
   -h, --help                 help for rest-server
+      --ip-header string     use a header to obtain the ip for unauthorized request logging
       --listen string        listen address (default ":8000")
       --log string           log HTTP requests in the combined log format
+      --log-auth-failure     log the ip address of unauthorized requests
       --max-size int         the maximum size of the repository in bytes
       --no-auth              disable .htpasswd authentication
       --no-verify-upload     do not verify the integrity of uploaded data. DO NOT enable unless the rest-server runs on a very low-power device

diff --git a/changelog/unreleased/pull-167 b/changelog/unreleased/pull-167
@@ -0,0 +1,11 @@
+Feature: Logging of unauthorized requests
+
+Two new command line flags have been added in order to support logging of
+unauthorized requests to the server. The flag `--log-auth-failure` enables
+the logging and uses the remote address of the request as the default for
+the logged ip. If the server is used behind a reverse proxy for, `--header-for-ip`
+can be used to specify a header like "X-Forwarded-For" to be used for logging
+the ip.
+
+https://github.com/restic/rest-server/pull/167
+https://forum.restic.net/t/rest-server-and-fail2ban/2569
diff --git a/cmd/rest-server/main.go b/cmd/rest-server/main.go
@@ -39,6 +39,8 @@ func init() {
 	flags := cmdRoot.Flags()
 	flags.StringVar(&cpuProfile, "cpu-profile", cpuProfile, "write CPU profile to file")
 	flags.BoolVar(&server.Debug, "debug", server.Debug, "output debug messages")
+	flags.BoolVar(&server.LogAuthFailure, "log-auth-failure", server.LogAuthFailure, "log the ip address of unauthorized requests")
+	flags.StringVar(&server.IPHeader, "ip-header", server.IPHeader, "use a header to obtain the ip for unauthorized request logging")
 	flags.StringVar(&server.Listen, "listen", server.Listen, "listen address")
 	flags.StringVar(&server.Log, "log", server.Log, "log HTTP requests in the combined log format")
 	flags.Int64Var(&server.MaxRepoSize, "max-size", server.MaxRepoSize, "the maximum size of the repository in bytes")

diff --git a/handlers.go b/handlers.go
@@ -27,6 +27,8 @@ type Server struct {
 	Prometheus       bool
 	PrometheusNoAuth bool
 	Debug            bool
+	LogAuthFailure   bool
+	IPHeader         string
 	MaxRepoSize      int64
 	PanicOnError     bool
 	NoVerifyUpload   bool

diff --git a/mux.go b/mux.go
@@ -36,6 +36,14 @@ func (s *Server) checkAuth(r *http.Request) (username string, ok bool) {
 	var password string
 	username, password, ok = r.BasicAuth()
 	if !ok || !s.htpasswdFile.Validate(username, password) {
+		if s.LogAuthFailure {
+			if s.IPHeader != "" {
+				log.Printf("unauthorized: %s", r.Header.Get(s.IPHeader))
+			} else {
+				log.Printf("unauthorized: %s", r.RemoteAddr)
+			}
+		}
+
 		return "", false
 	}
 	return username, true