I think this is a quirk in how the sockets are assigned. For a machine with a single IP, you could probably listen to the same port on 0.0.0.0, 127.0.0.1 and the regular IP all at the same time.
I have not tested it, but I would assume the more specific IP will be routed before the fallback IP.
If you use the --webservice-interface= option, then this could explain how multiple hosted servers could co-exist on the same port. The hosted server connection that the TrayIcon makes does not take such a setup into account, so I would recommend using a different port for each.
Sorry, I did not intend to imply that it was you personally that was crafting the request.
If you need the TrayIcon to use a different hostname, you need to start it with --hosturl.
Something like:
> Duplicati.Server.exe --webservice-allowed-hostnames=hp4
> Duplicati.GUI.TrayIcon.exe --no-hosted-server --hosturl=http://hp4:8200
Without the --hosturl argument, the TrayIcon will always connect to http://localhost:8200 (with some minor adjustments for SSL + Port)
Yes, that is why the logic is to persist the password in the database. If you uninstall the service and reinstall without the argument, it will retain the password (and other arguments).
One way to persist the settings would be to run Duplicati.Server.exe to set the password, something like:
> Duplicati.Server.exe --webservice-password=<password> --webservice-allowed-hostnames=hp4
Wait for it to start up and report ready, then press CTRL+C to stop it.
If you have already installed the service, just make sure you stop it before doing the above, and start/install it afterwards.
You can use the argument --server-datafolder= to make the Duplicati.Server.exe point to the same folder as you are using for the service.
I am fairly certain that this is logged to Windows “Application Log”, but if not, it should be.
The daemon/service problem is not new, but before there was no option to use the log information to do an initial login, so you could not look for it.
I would argue that it increases the security quite a lot. Without a password, any local application (or website that can call localhost) could potentially set up a new backup to a destination of their choosing, or “restore” malicious content. This is even more of an issue if you are running as a service with admin privileges, as the call can be done by unprivileged users, granting privilege escalation without a password.
The downside you experience is only experienced for uses that want to run the server/service as stand-alone, not for users that just use the TrayIcon.