41 lines
1.6 KiB
Text
41 lines
1.6 KiB
Text
|
+-----------------------------------------------------------------------
|
||
|
|
| Running ${PKGSTEM} on OpenBSD
|
||
|
|
+-----------------------------------------------------------------------
|
||
|
|
|
||
|
|
User Authentication
|
||
|
|
===================
|
||
|
|
|
||
|
|
The server uses an .htpasswd file to specify users. You can create such a file
|
||
|
|
at the root of the persistence directory (/var/restic by default) by executing
|
||
|
|
the following command. In order to append new user to the file, just omit the
|
||
|
|
-c argument.
|
||
|
|
|
||
|
|
# su -l -s/bin/sh _restic
|
||
|
|
$ htpasswd .htpasswd username
|
||
|
|
|
||
|
|
|
||
|
|
TLS
|
||
|
|
===
|
||
|
|
|
||
|
|
By default the server uses HTTP protocol. This is not very secure since with
|
||
|
|
Basic Authentication, username and passwords will travel in cleartext in every
|
||
|
|
request. In order to enable TLS support, add the --tls argument. By default
|
||
|
|
the server will read files named "public_key" and "private_key" at the root
|
||
|
|
of your persistence directory. The location can be changed with the flags
|
||
|
|
--tls-cert and --tls-key (they must be readable by the _restic user).
|
||
|
|
|
||
|
|
The above arguments can be set by using rcctl(8):
|
||
|
|
|
||
|
|
rcctl enable restic_rest_server
|
||
|
|
rcctl set restic_rest_server flags --tls --path /var/restic
|
||
|
|
|
||
|
|
You can either use a certificate signed by a standard CA, or generate a
|
||
|
|
self-signed certificate with the following commands:
|
||
|
|
|
||
|
|
openssl genrsa -out private_key 4096
|
||
|
|
openssl req -new -x509 -key private_key -out public_key -days 365
|
||
|
|
|
||
|
|
The restic backend normally validates certificates using the system
|
||
|
|
CA store in /etc/ssl/cert.pem; if using a self-signed certificate, point
|
||
|
|
the restic backend at a copy of the certificate using the --cacert option.
|