backup server side executed python scripts for managing linux and windows system and application data backups, developed by adminsys for adminsys
k3nny
68ff4238e0
Replace hardcoded Flask secret key with environment variable to prevent session hijacking and CSRF attacks. Changes: - Load secret key from TISBACKUP_SECRET_KEY environment variable - Fall back to cryptographically secure random key using secrets module - Log warning when random key is used (sessions won't persist) - Add environment variable example to README.md Docker Compose config - Add setup instructions in Configuration section Security improvements: - Eliminates hardcoded secret in source code - Uses secrets.token_hex(32) for cryptographically strong random generation - Sessions remain secure even without env var (though won't persist) - Prevents session hijacking and CSRF bypass attacks Documentation: - Update README.md with TISBACKUP_SECRET_KEY setup instructions - Include command to generate secure random key - Update SECURITY_IMPROVEMENTS.md with implementation details - Mark hardcoded secret key issue as resolved Setup: ```bash # Generate secure key python3 -c "import secrets; print(secrets.token_hex(32))" # Set in environment export TISBACKUP_SECRET_KEY=your-key-here ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .gitea/workflows | ||
| .vscode | ||
| deb | ||
| docs | ||
| docs-sphinx-rst | ||
| libtisbackup | ||
| nginx | ||
| rpm | ||
| samples | ||
| scripts | ||
| static | ||
| templates | ||
| .dockerignore | ||
| .gitignore | ||
| .hadolint.yml | ||
| .pre-commit-config.yaml | ||
| backup.sh | ||
| compose.yml | ||
| config.py | ||
| cron.sh | ||
| Dockerfile | ||
| entrypoint.sh | ||
| pyproject.toml | ||
| README.md | ||
| requirements.txt | ||
| SECURITY_IMPROVEMENTS.md | ||
| tasks.py | ||
| tisbackup_gui.py | ||
| tisbackup.py | ||
| uv.lock | ||
TISBackup
This is the repository of the TISBackup project, licensed under GPLv3.
TISBackup is a python script to backup servers.
It runs at regular intervals to retrieve different data types on remote hosts such as database dumps, files, virtual machine images and metadata.
Install using Compose
Clone that repository and build the pod image using the provided Dockerfile
docker build . -t tisbackup:latest
In another folder, create subfolders as following
mkdir -p /var/tisbackup/{backup/log,config,ssh}/
Expected structure
/var/tisbackup/
└─backup/ <-- backup location
└─config/
├── tisbackup-config.ini <-- backups config
└── tisbackup_gui.ini <-- tisbackup config
└─ssh/
├── id_rsa <-- SSH Key
└── id_rsa.pub <-- SSH PubKey
compose.yaml
Adapt the compose.yml file to suits your needs, one pod act as the WebUI front end and the other as the crond scheduler
services:
tisbackup_gui:
container_name: tisbackup_gui
image: "tisbackup:latest"
build: .
volumes:
- ./config/:/etc/tis/
- ./backup/:/backup/
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
# SECURITY: Set a unique secret key for Flask session security
# Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"
- TISBACKUP_SECRET_KEY=your-secret-key-here-change-me
restart: unless-stopped
ports:
- 9980:8080
tisbackup_cron:
container_name: tisbackup_cron
image: "tisbackup:latest"
build: .
volumes:
- ./config/:/etc/tis/
- ./ssh/:/config_ssh/
- ./backup/:/backup/
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
restart: always
command: "/bin/bash /opt/tisbackup/cron.sh"
Configuration
- Provide an SSH key and store it in
./ssh - Setup config files in the
./configdirectory - SECURITY: Generate and set a secure Flask secret key:
Then add it to your# Generate a secure random secret key python3 -c "import secrets; print(secrets.token_hex(32))"compose.ymlas theTISBACKUP_SECRET_KEYenvironment variable
tisbackup-config.ini
[global]
backup_base_dir = /backup/
# backup retention in days
backup_retention_time=90
# for nagios check in hours
maximum_backup_age=30
[srvads-poudlard-samba]
type=rsync+ssh
server_name=srvads.poudlard.lan
remote_dir=/var/lib/samba/
compression=True
;exclude_list="/proc/**","/sys/**","/dev/**"
private_key=/config_ssh/id_rsa
ssh_port = 22
tisbackup_gui.ini
[general]
config_tisbackup= /etc/tis/tisbackup-config.ini
sections=
ADMIN_EMAIL=josebove@internet.fr
base_config_dir= /etc/tis/
backup_base_dir=/backup/
Run!
docker compose up -d
NGINX reverse-proxy
Sample config file
server {
listen 443 ssl http2;
# Remove '#' in the next line to enable IPv6
# listen [::]:443 ssl http2;
server_name tisbackup.poudlard.lan;
ssl_certificate /etc/letsencrypt/live/tisbackup.poudlard.lan/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/tisbackup.poudlard.lan/privkey.pem; # managed by Certbot
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://localhost:9980/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
About
Tranquil IT is the original author of TISBackup.
The documentation is provided under the license CC-BY-SA and can be found on readthedoc.