{"id":13522427,"url":"https://github.com/restic/rest-server","last_synced_at":"2025-05-13T17:11:36.569Z","repository":{"id":39705441,"uuid":"72937609","full_name":"restic/rest-server","owner":"restic","description":"Rest Server is a high performance HTTP server that implements restic's REST backend API.","archived":false,"fork":false,"pushed_at":"2025-05-12T17:00:35.000Z","size":5988,"stargazers_count":1096,"open_issues_count":51,"forks_count":157,"subscribers_count":31,"default_branch":"master","last_synced_at":"2025-05-12T17:57:12.639Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/restic.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-11-05T16:12:22.000Z","updated_at":"2025-05-12T17:00:40.000Z","dependencies_parsed_at":"2023-11-13T22:24:33.515Z","dependency_job_id":"cc41a172-df44-481b-af00-8b1ad4a9ea13","html_url":"https://github.com/restic/rest-server","commit_stats":{"total_commits":441,"total_committers":45,"mean_commits":9.8,"dds":0.7006802721088435,"last_synced_commit":"d3fedbefe5d23aa5d59f0e13e2095806a277ac9a"},"previous_names":["zcalusic/restic-server"],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/restic%2Frest-server","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/restic%2Frest-server/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/restic%2Frest-server/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/restic%2Frest-server/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/restic","download_url":"https://codeload.github.com/restic/rest-server/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253990470,"owners_count":21995774,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T06:00:47.055Z","updated_at":"2025-05-13T17:11:31.554Z","avatar_url":"https://github.com/restic.png","language":"Go","funding_links":[],"categories":["Backup","Go"],"sub_categories":[],"readme":"# Rest Server\n\n\n[![Status badge for CI tests](https://github.com/restic/rest-server/workflows/test/badge.svg)](https://github.com/restic/rest-server/actions?query=workflow%3Atest)\n[![Go Report Card](https://goreportcard.com/badge/github.com/restic/rest-server)](https://goreportcard.com/report/github.com/restic/rest-server)\n[![GoDoc](https://godoc.org/github.com/restic/rest-server?status.svg)](https://godoc.org/github.com/restic/rest-server)\n[![License](https://img.shields.io/badge/license-BSD%20%282--Clause%29-003262.svg?maxAge=2592000)](https://github.com/restic/rest-server/blob/master/LICENSE)\n[![Powered by](https://img.shields.io/badge/powered_by-Go-5272b4.svg?maxAge=2592000)](https://golang.org/)\n\nRest Server is a high performance HTTP server that implements restic's [REST backend API](https://restic.readthedocs.io/en/latest/100_references.html#rest-backend).  It provides secure and efficient way to backup data remotely, using [restic](https://github.com/restic/restic) backup client via the [rest: URL](https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server).\n\n## Requirements\n\nRest Server requires Go 1.23 or higher to build.  The only tested compiler is the official Go compiler.\n\nThe required version of restic backup client to use with `rest-server` is [v0.7.1](https://github.com/restic/restic/releases/tag/v0.7.1) or higher.\n\n## Build\n\nFor building the `rest-server` binary run `CGO_ENABLED=0 go build -o rest-server ./cmd/rest-server`\n\n## Usage\n\nTo learn how to use restic backup client with REST backend, please consult [restic manual](https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#rest-server).\n\n```console\n$ rest-server --help\n\nRun a REST server for use with restic\n\nUsage:\n  rest-server [flags]\n\nFlags:\n      --append-only                  enable append only mode\n      --cpu-profile string           write CPU profile to file\n      --debug                        output debug messages\n      --group-accessible-repos       let filesystem group be able to access repo files\n  -h, --help                         help for rest-server\n      --htpasswd-file string         location of .htpasswd file (default: \"\u003cdata directory\u003e/.htpasswd)\"\n      --listen string                listen address (default \":8000\")\n      --log filename                 write HTTP requests in the combined log format to the specified filename (use \"-\" for logging to stdout)\n      --max-size int                 the maximum size of the repository in bytes\n      --no-auth                      disable .htpasswd authentication\n      --no-verify-upload             do not verify the integrity of uploaded data. DO NOT enable unless the rest-server runs on a very low-power device\n      --path string                  data directory (default \"/tmp/restic\")\n      --private-repos                users can only access their private repo\n      --prometheus                   enable Prometheus metrics\n      --prometheus-no-auth           disable auth for Prometheus /metrics endpoint\n      --proxy-auth-username string   specifies the HTTP header containing the username for proxy-based authentication\n      --tls                          turn on TLS support\n      --tls-cert string              TLS certificate path\n      --tls-key string               TLS key path\n      --tls-min-ver string           TLS min version, one of (1.2|1.3) (default \"1.2\")\n  -v, --version                      version for rest-server\n```\n\nBy default the server persists backup data in the OS temporary directory (`/tmp/restic` on Linux/BSD and others, in `%TEMP%\\\\restic` in Windows, etc). **If `rest-server` is launched using the default path, all backups will be lost**. To start the server with a custom persistence directory and with authentication disabled:\n\n```sh\nrest-server --path /user/home/backup --no-auth\n```\n\nTo authenticate users (for access to the rest-server), the server supports using a `.htpasswd` file to specify users. By default, the server looks for this file at the root of the persistence directory, but this can be changed using the `--htpasswd-file` option. You can create such a file by executing the following command (note that you need the `htpasswd` program from Apache's http-tools).  In order to append new user to the file, just omit the `-c` argument.  Only bcrypt and SHA encryption methods are supported, so use -B (very secure) or -s (insecure by today's standards) when adding/changing passwords.\n\n```sh\nhtpasswd -B -c .htpasswd username\n```\n\nIf you want to disable authentication, you must add the `--no-auth` flag. If this flag is not specified and the `.htpasswd` cannot be opened, rest-server will refuse to start.\n\nNOTE: In older versions of rest-server (up to 0.9.7), this flag does not exist and the server disables authentication if `.htpasswd` is missing or cannot be opened.\n\nBy default the server uses HTTP protocol.  This is not very secure since with Basic Authentication, user name and passwords will be sent in clear text in every request.  In order to enable TLS support just add the `--tls` argument and add a private and public key at the root of your persistence directory. You may also specify private and public keys by `--tls-cert` and `--tls-key` and set the minimum TLS version to 1.3 using `--tls-min-ver 1.3`.\n\nSigned certificate is normally required by the restic backend, but if you just want to test the feature you can generate password-less unsigned keys with the following command:\n\n```sh\nopenssl req -newkey rsa:2048 -nodes -x509 -keyout private_key -out public_key -days 365 -addext \"subjectAltName = IP:127.0.0.1,DNS:yourdomain.com\"\n```\n\nOmit the `IP:127.0.0.1` if you don't need your server be accessed via SSH Tunnels. No need to change default values in the openssl dialog, hitting enter every time is sufficient. To access this server via restic use `--cacert public_key`, meaning with a self-signed certificate you have to distribute your `public_key` file to every restic client.\n\nThe `--append-only` mode allows creation of new backups but prevents deletion and modification of existing backups. This can be useful when backing up systems that have a potential of being hacked.\n\nTo prevent your users from accessing each others' repositories, you may use the `--private-repos` flag which grants access only when a subdirectory with the same name as the user is specified in the repository URL. For example, user \"foo\" using the repository URLs `rest:https://foo:pass@host:8000/foo` or `rest:https://foo:pass@host:8000/foo/` would be granted access, but the same user using repository URLs `rest:https://foo:pass@host:8000/` or `rest:https://foo:pass@host:8000/foobar/` would be denied access. Users can also create their own subrepositories, like `/foo/bar/`.\n\nRest Server uses exactly the same directory structure as local backend, so you should be able to access it both locally and via HTTP, even simultaneously.\n\n### Systemd\n\nThere's an example [systemd service file](https://github.com/restic/rest-server/blob/master/examples/systemd/rest-server.service) included with the source, so you can get Rest Server up \u0026 running as a proper Systemd service in no time.  Before installing, adapt paths and options to your environment.\n\n### Docker\n\nRest Server works well inside a container, images are [published to Docker Hub](https://hub.docker.com/r/restic/rest-server). \n\n#### Start server\n\nYou can run the server with any container runtime, like Docker:\n\n```sh\n    docker pull restic/rest-server:latest\n    docker run -p 8000:8000 -v /my/data:/data --name rest_server restic/rest-server\n```\n\nNote that:\n\n- **contrary to the defaults** of `rest-server`, the persistent data volume is located to `/data`.\n- By default, the image uses authentication.  To turn it off, set environment variable `DISABLE_AUTHENTICATION` to any value.\n- By default, the image loads the `.htpasswd` file from the persistent data volume (i.e. from `/data/.htpasswd`). To change the location of this file, set the environment variable `PASSWORD_FILE` to the path of the `.htpasswd` file. Please note that this path must be accessible from inside the container and should be persisted. This is normally done by bind-mounting a path into the container or with another docker volume.\n- It's suggested to set a container name to more easily manage users (`--name` parameter to `docker run`).\n- You can set environment variable `OPTIONS` to any extra flags you'd like to pass to rest-server.\n\n#### Customize the image\n\nThe [published image](https://hub.docker.com/r/restic/rest-server) is built from the `Dockerfile` available on this repository, which you may use as a basis for building your own customized images.\n\n```sh\n    git clone https://github.com/restic/rest-server.git \n    cd rest-server\n    docker build -t restic/rest-server:latest .\n```\n\n#### Manage users\n\n##### Add user\n\n```sh\ndocker exec -it rest_server create_user myuser\n```\n\nor\n\n```sh\ndocker exec -it rest_server create_user myuser mypassword\n```\n\n##### Delete user\n\n```sh\ndocker exec -it rest_server delete_user myuser\n```\n\n## Proxy Authentication\n\nSee above for no authentication (`--no-auth`) and basic authentication.\n\nTo delegate authentication to a proxy, use the `--proxy-auth-username` flag. The specified header name, for example `X-Forwarded-User`,\nmust be present in the request headers and specifies the username. Basic authentication is disabled when this flag is set.\n\nWarning: rest-server trusts the username in the header. It is the responsibility of the proxy\nto ensure that the username is correct and cannot be forged by an attacker.\n\n\n## Prometheus support and Grafana dashboard\n\nThe server can be started with `--prometheus` to expose [Prometheus](https://prometheus.io/) metrics at `/metrics`. If authentication is enabled, this endpoint requires authentication for the 'metrics' user, but this can be overridden with the `--prometheus-no-auth` flag.\n\nThis repository contains an example full stack Docker Compose setup with a Grafana dashboard in [examples/compose-with-grafana/](examples/compose-with-grafana/).\n\n\n## Why use Rest Server?\n\nCompared to the SFTP backend, the REST backend has better performance, especially so if you can skip additional crypto overhead by using plain HTTP transport (restic already properly encrypts all data it sends, so using HTTPS is mostly about authentication).\n\nBut, even if you use HTTPS transport, the REST protocol should be faster and more scalable, due to some inefficiencies of the SFTP protocol (everything needs to be transferred in chunks of 32 KiB at most, each packet needs to be acknowledged by the server).\n\nOne important safety feature that Rest Server adds is the optional ability to run in append-only mode. This prevents an attacker from wiping your server backups when access is gained to the server being backed up.\n\nFinally, the Rest Server implementation is really simple and as such could be used on the low-end devices, no problem.  Also, in some cases, for example behind corporate firewalls, HTTP/S might be the only protocol allowed.  Here too REST backend might be the perfect option for your backup needs.\n\n## Contributors\n\nContributors are welcome, just open a new issue / pull request.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frestic%2Frest-server","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frestic%2Frest-server","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frestic%2Frest-server/lists"}