2.0.9.102_canary_2024-08-02

This release is a canary release intended to be used for testing in preparation of a later stable release.

Unlike regular canary builds, this one has a major change in the build system, so it now runs on .NET8.

For that reason, the updater in previous canary builds does not detect this update yet, but this can be activated at a later time.

Please see release notes for v2.0.9.100 for a summary of changes.
Please see list of known issues related to .NET8 upgrade:
-Followup .NET8 canary · GitHub

This build is changes the underlying webserver to Kestrel, which is common for .NET based projects.
A big thanks to @tsuckow and @npodbielski for their contributions towards this goal.

This build changes authentication for the WebUI
With this build it is no longer possible to use the web-UI without a password.
If no password is set, a random password is generated.
For users activating the UI via the TrayIcon, this will automatically log in, as the TrayIcon hosts the server.
For users that rely on the WebUI without the TrayIcon, as special link is emitted during startup that allows login.
For both cases, the password can be (re-)set with --webservice-password=... as a startup commandline argument.

Detailed list of changes:

• Updated libraries: Mega, SharpAESCrypt, Storj, FluentFTP
• Updated Webserver to Kestrel, thanks @tsuckow and @npodbielski
• Implemented websocket based messages in WebUI, thanks @npodbielski
• HTTP reports now give a warning if the server rejects the message
• Extensive changes to strings to improve localization, structure and layout in WebUI, thanks @luixxiul
• Uplink libraries fixed on all platforms, thanks @TopperDEL
• Fixed an issue where strings with line-breaks would not show in translated form
• Removed remnants of Tardigrade backend in favor of Storj API
• Added Sakura Cloud to list of S3 providers
• Changed aFTP default SSL to None, meaning “System Default”
• Added check to find Duplicati server database in old location on MacOS
• Fixed issues with .deb packages overwriting options file on update
• Fixed issue with backups using VSS and a drive letter as the source
• Fixed issue with Arm 32bit not reading files larger than 4GiB

Command line arguments are generally visible by other users, would be wise to offer environmental variable option.

The intended use is to reset, not to keep running with it. Say you forgot the password, you then run:

> duplicati-server —webservice-password=…
CTRL+C
> duplicati-server

But for better security and Docker support, I will make ENV vars an option as well.

I am glad to be able help!

image: lscr.io/linuxserver/duplicati:development
cannot access the web ui on 2 server

Duplicati will only accept localhost as the hostname by default. If you are using another hostname, you need to enable it with — webservice-allowedhostnames=hostname. Use the hostname * to disable the security mechanism.

It is not a new thing though, it should have been like this for several years?

I’ll check never used it honestly I’ll report back later

adding webservice-allowedhostnames=hostname as environment variable does not produce anything

It needs to be a commandline variable, not environment.

how can i pass this to compose file?

i tried in this way but not working:

version: "2.1"
services:
  duplicati:
    image: lscr.io/linuxserver/duplicati:development
    container_name: duplicati
    network_mode: bridge

    environment:
      - PUID=0
      - PGID=0
      - TZ=Europe/Rome
      - CLI_ARGS=  --webservice-allowed-hostnames="*"
    volumes:
      - /mypath/Duplicati/config:/config
    ports:
      - 8200:8200
    restart: always

It seems the link to the signature file on Release Version bump to v2.0.9.102-2.0.9.102_canary_2024-08-02 · duplicati/duplicati · GitHub does not work. It returns 404 error.

https://updates.duplicati.com/Canary/2.0.9.102_canary_2024-08-02.signatures.zip

So what can we do? Anything from user side is possible to solve the problem?

Ah sorry, it did not intend to be a reply to you…

Hello,

it is not clear to me how this works with the password. I use the Windows service and have installed it this way:

msiexec /i "duplicati-2.0.9.102_canary_2024-08-02-win-x64-gui.msi" FORSERVICE=true ADDLOCAL=ALL REMOVE=DuplicatiDesktopShortCutFeature,DuplicatiProgramMenuShortCutFeature,DuplicatiStartupShortCutFeature /quiet

How do I get a password set?

I have already stopped the service and tried this:

"C:\Program Files\Duplicati 2\Duplicati.Server.exe" --webservice-password=abcdefg

or

"C:\Program Files\Duplicati 2\Duplicati.Server.exe" --webservice-password=abcdefg --server-datafolder=C:\ProgramData\Duplicati

But I still can’t get to the WebGUI - the server is running, you can see the Duplicati website in the background, but I don’t get any password entry window:

Connection to server was rejected due to invalid authentication. Reload browser window to reconnect to server properly.

If this problem persist open this page from the TrayIcon instead.

I have also tried this without success:

"C:\Program Files\Duplicati 2\Duplicati.WindowsService.exe" uninstall
"C:\Program Files\Duplicati 2\Duplicati.WindowsService.exe" install --log-retention=1D --server-datafolder=%ALLUSERSPROFILE%\Duplicati --webservice-password=abcdefg

Does your “invalid authentication” seem to correspond to terminal window putting out stuff like:

fail: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
      An unhandled exception has occurred while executing the request.
      Duplicati.WebserverCore.Exceptions.UnauthorizedException: Authorization failed due to missing cookie.
         at Duplicati.WebserverCore.Endpoints.V1.Auth.<>c.<<Map>b__3_0>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.AspNetCore.Http.RequestDelegateFactory.<TaskOfTToValueTaskOfObject>g__ExecuteAwaited|92_0[T](Task`1 task)
         at Duplicati.WebserverCore.Middlewares.LanguageFilter.InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
         at Microsoft.AspNetCore.Http.RequestDelegateFactory.<ExecuteValueTaskOfObject>g__ExecuteAwaited|129_0(ValueTask`1 valueTask, HttpContext httpContext, JsonTypeInfo`1 jsonTypeInfo)
         at Duplicati.WebserverCore.Middlewares.WebsocketExtensions.<>c__DisplayClass0_0.<<UseNotifications>b__0>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

Mine is looking like above, and I (like you) haven’t seen any sign of a traditional password usage.
I’ve tried to encourage it with --webservice-password and Settings Change server passphrase.

What seems to work the best for me is to open from a TrayIcon, but that’s only one of many uses.
Running as a Windows service, or with Duplicati on a different system are other cases to support.

was a topic on its own (added to old one, being pursued), and also mentioned above in this topic.

EDIT:

The message posted above “seems” to happen when I leave the golden path of a tray icon open.
Even going to 127.0.0.1 instead of localhost does it, presumably due to lack of a refresh token.
I’m running Duplicati.GUI.TrayIcon.exe --webservice-interface=* --webservice-allowedhostnames=* while pursuing the other topic. The host header check is acting unusually.

Mine is also putting out the above, fairly slowly. These aren’t as immediately bothersome though.

warn: Duplicati.WebserverCore.Abstractions.ISettingsService[0]
      Could not deserialize last update version information `?packagetypeid=win-x64-gui.zip`

I had the same “invalid hostname” issue. Previous version (2.0.9.101) had “allow remote access” and “hostname” configured in global settings. Does 2.0.9.102 not honor the previously-configured hostname?

Scheduled tasks might have broken. First clue was importing a job to run tomorrow morning.
Status bar stayed at “No scheduled tasks”. Imported again, changed by hand. Still not there.

About → System info doesn’t seem to be showing the schedule. estimatedPauseEnd is odd.
It does react if I actually start a pause. pauseTimeRemain sets up, but does not count down.
I’m expecting it to do that while I watch. If I refresh manually, I can see the time going down.

Anyway, the unpaused view is below. I’m used to seeing estimatedPauseEnd look very zero.
2.0.8.1 would show estimatedPauseEnd : 0001-01-01T00:00:00 when pause is not in effect.

Server state properties
lastEventId : 16
lastDataUpdateId : 7
lastNotificationUpdateId : 0
estimatedPauseEnd : "0001-01-01T04:56:02.000Z"
activeTask :
programState : Running
lastErrorMessage :
connectionState : connected
connectionAttemptTimer : 0
failedConnectionAttempts : 0
failedAuthAttempts : 0
lastPgEvent :
updaterState : Waiting
updateDownloadLink :
updatedVersion :
updateDownloadProgress : 0
proposedSchedule : []
schedulerQueueIds : []
pauseTimeRemain : 0

I did finally see it ask for a password at least once, after I accepted initial dialog to set that.
Log out button in the left bar was missing for a long time, finally showed up, but is ignored.

I’m not sure if there’s a logout timer, but I did get Internal server error popups awhile.
Originally I thought it was in what I was doing, but then did other things, and they failed too.

I can’t report on any terminal messages with these, as I’m launching from a desktop script.
Basically trying to get to normal operation. Somewhat blocked. Ask if you need debug info.

EDIT:

If “emitted” means written to the terminal, does it have the same background issue I mention?
My setup is a bit odd, but Duplicati running from the background seems a very common thing.
TrayIcon launched at login or from Desktop, or Server run by Windows service are examples.

Maybe “WebUI without the TrayIcon” really meant "WebUI without doing Open from TrayIcon?
I use TrayIcon for its information and controls, with a WebUI generally not opened by TrayIcon.