k3nny/TISbackup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
68ff4238e0
TISbackup/README.md
k3nny 68ff4238e0 fix(security): remove hardcoded Flask secret key 
Replace hardcoded Flask secret key with environment variable to
prevent session hijacking and CSRF attacks.

Changes:
- Load secret key from TISBACKUP_SECRET_KEY environment variable
- Fall back to cryptographically secure random key using secrets module
- Log warning when random key is used (sessions won't persist)
- Add environment variable example to README.md Docker Compose config
- Add setup instructions in Configuration section

Security improvements:
- Eliminates hardcoded secret in source code
- Uses secrets.token_hex(32) for cryptographically strong random generation
- Sessions remain secure even without env var (though won't persist)
- Prevents session hijacking and CSRF bypass attacks

Documentation:
- Update README.md with TISBACKUP_SECRET_KEY setup instructions
- Include command to generate secure random key
- Update SECURITY_IMPROVEMENTS.md with implementation details
- Mark hardcoded secret key issue as resolved

Setup:
```bash
# Generate secure key
python3 -c "import secrets; print(secrets.token_hex(32))"

# Set in environment
export TISBACKUP_SECRET_KEY=your-key-here
```

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-05 01:29:16 +02:00

3.8 KiB
Raw Blame History

TISBackup

This is the repository of the TISBackup project, licensed under GPLv3.

TISBackup is a python script to backup servers.

It runs at regular intervals to retrieve different data types on remote hosts such as database dumps, files, virtual machine images and metadata.

Install using Compose

Clone that repository and build the pod image using the provided Dockerfile

docker build . -t tisbackup:latest

In another folder, create subfolders as following

mkdir -p /var/tisbackup/{backup/log,config,ssh}/

Expected structure

/var/tisbackup/
    └─backup/                   <-- backup location
    └─config/
      ├── tisbackup-config.ini  <-- backups config
      └── tisbackup_gui.ini     <-- tisbackup config
    └─ssh/
      ├── id_rsa                <-- SSH Key
      └── id_rsa.pub            <-- SSH PubKey
    compose.yaml

Adapt the compose.yml file to suits your needs, one pod act as the WebUI front end and the other as the crond scheduler

services:
  tisbackup_gui:
    container_name: tisbackup_gui
    image: "tisbackup:latest"
    build: .
    volumes:
      - ./config/:/etc/tis/
      - ./backup/:/backup/
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      # SECURITY: Set a unique secret key for Flask session security
      # Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"
      - TISBACKUP_SECRET_KEY=your-secret-key-here-change-me
    restart: unless-stopped
    ports:
      - 9980:8080

  tisbackup_cron:
    container_name: tisbackup_cron
    image: "tisbackup:latest"
    build: .
    volumes:
      - ./config/:/etc/tis/
      - ./ssh/:/config_ssh/
      - ./backup/:/backup/
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    restart: always
    command: "/bin/bash /opt/tisbackup/cron.sh"

Configuration

  • Provide an SSH key and store it in ./ssh
  • Setup config files in the ./config directory
  • SECURITY: Generate and set a secure Flask secret key: 
    # Generate a secure random secret key
python3 -c "import secrets; print(secrets.token_hex(32))"
    Then add it to your compose.yml as the TISBACKUP_SECRET_KEY environment variable

tisbackup-config.ini

[global]
backup_base_dir = /backup/

# backup retention in days
backup_retention_time=90

# for nagios check in hours
maximum_backup_age=30

[srvads-poudlard-samba]
type=rsync+ssh
server_name=srvads.poudlard.lan
remote_dir=/var/lib/samba/
compression=True
;exclude_list="/proc/**","/sys/**","/dev/**"
private_key=/config_ssh/id_rsa
ssh_port = 22

tisbackup_gui.ini

[general]
config_tisbackup= /etc/tis/tisbackup-config.ini
sections=
ADMIN_EMAIL=josebove@internet.fr
base_config_dir= /etc/tis/
backup_base_dir=/backup/

Run!

docker compose up -d

NGINX reverse-proxy

Sample config file

server {
  listen 443 ssl http2;
  # Remove '#' in the next line to enable IPv6
  # listen [::]:443 ssl http2;
  server_name tisbackup.poudlard.lan;

  ssl_certificate /etc/letsencrypt/live/tisbackup.poudlard.lan/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/tisbackup.poudlard.lan/privkey.pem; # managed by Certbot


  location / {
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   Host $host;
    proxy_pass         http://localhost:9980/;
    proxy_http_version 1.1;
    proxy_set_header   Upgrade $http_upgrade;
    proxy_set_header   Connection "upgrade";
  }
}

About

Tranquil IT is the original author of TISBackup.

The documentation is provided under the license CC-BY-SA and can be found on readthedoc.