mirror of
https://github.com/Awuqing/BackupX.git
synced 2026-05-27 19:19:35 +08:00
17f4ec63ae
* fix(server): 后端直接托管 Web 控制台,修复无 nginx 时 404 (#62) 问题 #62:在未安装 nginx 的服务器上,访问 :8340/ 返回 "route not found"(404),Web 控制台完全无法打开;同时 systemd 服务以 backupx 用户启动时因无权读取 root:root 0640 的配置文件 而反复退出(exit 1)。 修复: - 后端新增 SPA 静态托管:自动探测前端目录(./web、./web/dist、 /opt/backupx/web 等,或 server.web_root 显式指定),命中后直接 提供静态文件与 index.html 回退,无需额外 nginx 反向代理即可访问 控制台。/api、/health、/metrics、/install 等保留前缀仍返回结构化 JSON 404,不会被 SPA 回退污染(沿用 issue #46 的约定)。 - 含 ".." 的请求路径由文件服务层直接拒绝,叠加 filepath.Rel 容器 校验,杜绝目录穿越。 - install.sh 以 backupx:backupx 安装配置文件并显式 chown,修复历史 版本 root:root 0640 导致服务无法读取配置而启动失败的问题;安装 完成提示同步说明可直接通过 :8340 访问,并给出 journalctl 排查命令。 - 新增 spa_test.go 覆盖目录探测、保留前缀判定、SPA 回退与穿越防护。 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(security): 修复邮件头注入,加固 webhook 与整数转换 CodeQL 静态扫描在 main 上的真实告警修复: - 邮件通知(email.go):From/To/Subject 头部此前直接拼接用户可控 内容(备份任务名会进入 Subject),存在 SMTP 头注入风险(可注入 Bcc 等额外头部或伪造正文)。新增 buildRawMessage/sanitizeHeaderValue 剔除头部值中的 CR/LF;正文保持原样。新增 email_test.go 覆盖。 - webhook 通知(webhook.go):Validate 增加 URL 解析与 http/https 协议校验,杜绝 file://、gopher:// 等可用于 SSRF 的协议。 - 整数转换(auth_service.go、storage_target_handler.go、 backup_record_handler.go):将 ParseUint 的 bitSize 由 64 改为 0 (即 uint 宽度),消除 uint64→uint 的潜在截断(32 位平台上为越界 拒绝而非静默截断),并清除 go/incorrect-integer-conversion 告警。 注:archive.go/file_runner.go 的 zipslip 告警为误报(已有 HasPrefix 容器校验且不解压符号链接);node FS 浏览与 webhook 目标主机由设计上 的鉴权用户控制,不在本次行为变更范围内。 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
English | 中文
BackupX
Self-hosted server backup management
One binary, one command — manage every backup of every server.
Docs · Downloads · Docker Hub
 |
 |
 |
 |
Highlights
| Capability | Details |
|---|---|
| Backup Types | Files/directories (multi-source), MySQL, PostgreSQL, SQLite, SAP HANA (full / incremental / differential / log + parallel channels + retry) |
| SAP HANA Backint Agent | Built-in Backint protocol — HANA's native interface routes data directly to any BackupX storage backend |
| 70+ Storage Backends | Alibaba OSS, Tencent COS, Qiniu, S3, Google Drive, WebDAV, FTP + SFTP, Azure Blob, Dropbox, OneDrive and dozens more via rclone |
| Scheduling | Cron + visual editor + auto-retention (by days/count + empty-directory cleanup) |
| Multi-Node Cluster | Master-Agent mode via HTTP long-polling — Agents run tasks locally, upload straight to storage, no reverse connectivity required |
| Security | JWT + bcrypt + AES-256-GCM encrypted config + optional backup encryption + full audit log |
| Notifications | Email / Webhook / Telegram on success or failure |
| Observability | Prometheus /metrics endpoint + /health + /ready probes + SLA breach gauge |
| Audit Webhook | HMAC-SHA256 signed forwarding to SIEM / WORM storage for compliance (SOC2 / GDPR) |
| Flow Control | Per-node bandwidth cap + per-node concurrency limit — tune big/small nodes independently |
| Deployment | Single binary + embedded SQLite, Docker one-click, zero external dependencies |
Quick Start
# Docker (recommended)
docker run -d --name backupx -p 8340:8340 -v backupx-data:/app/data awuqing/backupx:latest
# Or prebuilt archive
curl -LO https://github.com/Awuqing/BackupX/releases/latest/download/backupx-linux-amd64.tar.gz
tar xzf backupx-*.tar.gz && cd backupx-* && sudo ./install.sh
For ARM64 hosts, use backupx-linux-arm64.tar.gz. The archive contains backupx, web/, config.example.yaml, and install.sh; run install.sh from the extracted directory.
Open http://your-server:8340, create the admin account, then follow the 5-minute Quick Start.
Documentation
The full docs live at https://awuqing.github.io/BackupX/ — Getting Started, Deployment, SAP HANA, Multi-Node Cluster, API reference, and more. Switch to Chinese via the language dropdown in the top-right nav.
Quick links:
- Quick Start — first backup in five minutes
- Installation — Docker / bare metal / source
- Multi-Node Cluster — deploy the Agent on remote servers
- SAP HANA Support — hdbsql Runner and native Backint
- API Reference — REST endpoints
Development
git clone https://github.com/Awuqing/BackupX.git && cd BackupX
make dev-server # Terminal 1 — backend (:8340)
make dev-web # Terminal 2 — frontend (Vite HMR)
make test # run all tests
make build # produce server/bin/backupx + web/dist
See the development guide for more.
Contributing
Issues and pull requests welcome. Please read the contributing guide before opening a PR — commit messages and PRs on this project are written in Chinese.