Hello everyone, First of all I am really liking the Duplicati program, I want to use it along with another tool called Remote Desktop Manager to access my clients remotely, I would like to know how to enable HTTPS in Duplicati to have a more secure access, I am using Duplicati on computers running the Windows operating system.
Sorry for my English, I’m from Brazil and I’m using Google translator.
1 Like
Hello @marcelo and welcome to the forum!
If you mean how to drive the Duplicati GUI directly over the Internet, don’t… The web interface is not security audited/hardened, and all HTTPS does is to provide connection encryption to whoever’s in.
Duplicati webserver https with selfsigned certificate is one example of how you could add HTTPS for whatever it adds in a less risky environment. For Internet, local access from remote desktop is best.
Remote Desktop Manager looks like a third-party (not Microsoft) tool, otherwise for any who are using Windows Remote Desktop on the Internet on older Windows versions, patch now to avoid BlueKeep.
Thanks for the reply, is that I have several clients using the tool, mostly without RDP / VPN access, the ideal would be to have a hub but duplicati does not yet offer this tool.
If my access is restricted to my valid IP, along with HTTPS, would it still be insecure?
I read the other topic, but I did not understand how to configure on windows computers and running per service, that example I think is good for linux
Aside from Linux pathnames, I don’t see why it should be, although I can’t help with the details for any OS.
C:\Program Files\Duplicati 2>Duplicati.Server.exe help
Supported commandline arguments:
--tempdir: This option can be used to supply an alternative folder for temporary storage. By default the system default temporary folder is used. Note that also SQLite will put temporary files in this temporary folder.
--help: Displays this help
--parameters-file: This option can be used to store some or all of the options given to the commandline client. The file must be a plain text file, UTF-8 encoding is preferred. Each line in the file should be of the format --option=value. The special options --source and --target can be used to override the localpath and the remote destination uri, respectively. The options in this file take precedence over the options provided on the commandline. You cannot specify filters in both the file and on the commandline. Instead, you can use the special --replace-filter, --append-filter, or --prepend-filter options to specify filters inside the parameter file. Each filter must be prefixed with either a + or a -, and multiple filters must be joined with ;
--unencrypted-database: Disables database encryption
--portable-mode: Activates portable mode where the database is placed below the program executable
--log-file: Outputs log information to the file given
--log-level: Determines the amount of information written in the log file
--webservice-webroot: The path to the folder where the static files for the webserver is present. The folder must be located beneath the installation folder
--webservice-port: The port the webserver listens on. Multiple values may be supplied with a comma in between.
--webservice-sslcertificatefile: The certificate and key file in PKCS #12 format the webserver use for SSL. Only RSA/DSA keys are supported.
--webservice-sslcertificatepassword: The password for decryption of certificate PKCS #12 file.
--webservice-interface: The interface the webserver listens on. The special values "*" and "any" means any interface. The special value "loopback" means the loopback adapter.
--webservice-password: The password required to access the webserver. This option is saved so you do not need to set it on each run. Setting an empty value disables the password.
--webservice-allowed-hostnames: The hostnames that are accepted, separated with semicolons. If any of the hostnames are "*", all hostnames are allowed and the hostname checking is disabled.
--ping-pong-keepalive: When running as a server, the service daemon must verify that the process is responding. If this option is enabled, the server reads stdin and writes a reply to each line read
--log-retention: Set the time after which log data will be purged from the database.
--server-datafolder: Duplicati needs to store a small database with all settings. Use this option to choose where the settings are stored. This option can also be set with the environment variable DUPLICATI_HOME.
--server-encryption-key: This option sets the encryption key used to scramble the local settings database. This option can also be set with the environment variable DUPLICATI_DB_KEY. Use the option --unencrypted-database to disable the database scrambling.
C:\Program Files\Duplicati 2>
Let’s Encrypt is a possible certificate source if you don’t want to buy one or sign your own (OS tools vary).
But this ignores the concern of overall security. If you mean an IP restriction done by a trusted firewall, that seems pretty safe. A determined hacker with the right networking capabilities could possibly spoof your IP, however it would take some work. Don’t rely on the Duplicati options like --webservice-allowed-hostnames which are implemented as applications on the web server. The server itself isn’t known to be Internet-safe.
https://forum.duplicati.com/search?q=sslcertificatefile can find some other people who’ve tried to use that.
Is a server/client setup possible with Duplicati? might give some ideas of ways to do central management.
Thank you very much again, now I will analyze these posts and try to get it to work.
I just finished adding HTTPS to most of my Duplicati machines for other reasons (HSTS), and for Windows running as a service I did this:
- Generated a certificate for the machine, exported as a PFX with private key, all certificates in chain and a password - I used my internal Windows CA for this as I can add its certificate as trusted myself to get rid of the warnings.
- Found the Duplicati service in the registry and amended the ImagePath parameter by adding the settings to use the certificate:
–webservice-sslcertificatefile=“PATH_TO_PFX\NAME_OF_PFX” --webservice-sslcertificatepassword=12345
You can also do this by using the Duplicati service command, but you have to uninstall the service and then install it again as it aborts if it finds the service is already present (hence using the registry editor) - Restarted the service, twice (I’ll explain why below)
- Accessed the webserver with same port as before but with HTTPS
These certificate parameters are a little mysterious as they imply the service will load them each time it’s run which it kind of seems to, but my experience with Windows and so far also on Linux, is that it’s not the case. They appear to tell the service to load the certificates, store them and then set the webserver to HTTPS for the next start-up. So I was finding the first time I restarted the service HTTPS would not work, but a subsequent restart it would. To further prove this, I’m am having issues getting my Pi running Raspian to use HTTPS, it just won’t work for some reason, but even after reverting the service paramaters back by removing the two new ones I was still unable to access even with just HTTP no matter how many times I restarted the service/machine. It then dawned on me to try simply keeping the two new parameters but leaving them empty, so “–webservice-sslcertificatefile= --webservice-sslcertificatepassword=” and again after two restarts, HTTP began to work. I then removed the two parameters. Did I miss some documentation on these parameters as I never saw this explained - btw, I’m running 2.0.4.18_canary_2019-05-12 so perhaps it’s something new in the canary versions.
Hope some of this helps
Thanks for the help, I’m going to take the test between today and tomorrow and I’ll come back to tell you if it worked, I believe it will work because your step by step is very detailed.