The ingress server for the Duplicati portal.
The ingress server depends on knowing what organization a backup report is for. This can be either via the preconfigured tokens or via the JWT tokens.
For preconfigured tokens, a pre-made JSON file with a dictionary of token/orgid entries is loaded on startup and kept in memory.
For JWT tokens, the token is signed with a pre-shared key between the portal and the ingress server, and the tokens contains the orgId.
Once the organization is recognized, the file is parsed to validate that it is valid JSON and has some signature fields included.
If the tests pass, the file is encrypted with a key. The keyId can either be provided with the preconfigured tokens or extracted from the JWT.
The encrypted file is uploaded to the remote storage (S3 compatible, local filesystem or Postgre) and an event is published to mass transit, informing of the new file.
The ingress server is intended to have very few moving parts and generally just authorize & validate the input, and then store in persistent storage.
| Variable | Description |
|---|---|
| ENVIRONMENT__ISPROD | Production environment flag (false indicates development environment) |
| ENVIRONMENT__STORAGE | KVPSButter connection string for report storage |
| MESSAGING__CONNECTIONSTRING | PostgreSQL connection string for connecting to the message bus |
| ENCRYPTIONKEY__??? | One or more encryption keys for encrypting backup reports |
| INGRESS__JWT__AUTHORITY | The authority that issued the JWT token (must match issuer config) |
| INGRESS__JWT__AUDIENCE | The audience for the JWT token (must match issuer config) |
| INGRESS__JWT__SIGNINGKEY | The signing key for the JWT token (must match issuers config) |
The following environment variables are optional, and should be considered for a production deployment:
| Variable | Description |
|---|---|
| ENVIRONMENT__HOSTNAME | The server hostname for logging purposes |
| ENVIRONMENT__MACHINENAME | Name of the machine for logging purposes |
| ENVIRONMENT__REDIRECTURL | Url to redirect to when visiting the root path |
| PRECONFIGUREDTOKENS__STORAGE | The KVPSButter connection string to the storage that contains an IP blacklist |
| PRECONFIGUREDTOKENS__WHITELIST | The key that contains the IP blacklist |
| PRECONFIGUREDTOKENS__BLACKLIST | The key that contains the IP blacklist |
This project uses environment variables to configure the application during startup.
The provided launch.json is configured to start without additional configuration, but does not integrate with a message bus, but instead uses a simple in-memory bus to simulate functionality.
If you need to debug with a message bus, you need to configure the connection string.
It is recommeded that you configure variables by creating a local.environmentvariables.json file in the root of the project. This file is excluded from Git and Docker, making it less likely that you accidentally leak test variables.
This file:
- Should contain key-value pairs representing environment variables.
- Is loaded early during application startup.
- Overrides any existing environment variables if a key already exists.
This allows you to locally customize or override variables — without modifying the original configuration.
Example local.environmentvariables.json for using a local Postgre database:
{
"MESSAGING__CONNECTIONSTRING": "User ID=postgres;Password=*******;Host=localhost;Port=5432;Database=messaging;",
"PRECONFIGUREDTOKENS__STORAGE": "file:///path/to/shared/folder?pathmapped=true"
}