website • docs • community • demo
Rdiffweb is a web application that allows you to view repositories generated by rdiff-backup. The purpose of this application is to ease the management of backups and quickly restore your data with a rich and powerful web interface.
Rdiffweb is written in Python and is released as open source project under the GNU GENERAL PUBLIC LICENSE (GPL). All source code and documentation are Copyright Rdiffweb contributors.
Rdiffweb is actively developed by IKUS Soft since November 2014.
The Rdiffweb source code is hosted on Gitlab and mirrored to Github.
The Rdiffweb website is https://rdiffweb.org/.
With its rich web interface Rdiffweb provide a notable list of features:
- Browse your backup
- Restore single file or multiple files as an archived
- Users authentication via local database and LDAP
- Users authorization
- Email notification when backup is not successful
- Configurable repository encoding
- Configurable retention period
- Backup statistics visualization using graphs
- SSH Keys management
- Disk quota visualization
- File and folder deletion
If you quickly want to check how Rdiffweb is behaving, you may try our demo server hosted on:
https://rdiffweb-demo.ikus-soft.com/
Use the following credential to login:
- Username: admin
- Password: admin123
For detailed installation steps, read the Installation documentation.
You should read the Documentation to properly install Rdiffweb in your environment.
Docker
docker pull ikus060/rdiffweb
Debian
apt install lsb-release
curl -L https://www.ikus-soft.com/archive/rdiffweb/public.key | gpg --dearmor > /usr/share/keyrings/rdiffweb-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/rdiffweb-keyring.gpg] https://nexus.ikus-soft.com/repository/apt-release-$(lsb_release -sc)/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/rdiffweb.list
apt update
apt install rdiffweb
Pypi
pip install rdiffweb
Subscribing to our newsletter is an effective way to stay up-to-date on the latest news about Rdiffweb. By signing up for, you will receive regular updates and notifications about new features, updates, and releases related to Rdiffweb.
Join our growing community to get answers to your technical questions.
Rdiffweb users should use the Rdiffweb Google Group.
Want to know more about Rdiffweb and learn it thoroughly? Read our complete documentation.
Bug reports should be reported on the Rdiffweb Gitlab at https://gitlab.com/ikus-soft/rdiffweb/-/issues
Professional support for Rdiffweb is available by contacting IKUS Soft.
We are passionate about developing and maintaining this open-source project to make it better with each update. Your support can help us continue our efforts and enhance the project for the entire community. By becoming a Github Sponsor, you directly contribute to the project's sustainability and growth.
- Add support for Ubuntu Noble 24.04 LTS & Oracular 24.10 #317
- Complete french translation #315
- Provide default encoding value to support old database with NOT NULL contrains
- Use default language to send notification if user doesn't have a "Preferred Language" #306
- Add "Preferred Language" to Admin view to allow administrator to update the value
- Improve DockerImage by removing cache files
- Upgrade rdiff-backup to v2.2.6 in DockerFile
- Add API entry point to create and list access token
- Add access token scope #298
- Add user's quota to Rdiffweb API #299
- Change Debian and Ubuntu version numbering
- Drop support for Debian Buster
- Fix display of page settings for user with role "user"
- Fix usage of
session-idle-timeout
in config file #296
- Adjust the session idle and absolute timeouts to 10 and 30 minutes, respectively.
- Fix date calculation when generating report in January #295
- Fix broken URL to https://ikus-soft.com
- Fix "Remember me" check box to allow cliking on label to ease usability #293
- Fix translation of backup status in email report #291
- Adding German translation file - credit to Michael Nitzsche
- Fix reported version in Debian package #289
- Add support for WTForms v3.1.0
- Add last backup date to email notification
- Add ratelimit to Access Token, SSH Keys and User creation CVE-2023-5289
- Drop support of Ubuntu Kinetic
- Add Ubuntu Mantic Support
- Use Multi-Step to build Docker image
- Update layout of file statistics to display a single day
- Stop sending notification for ignored days #284
- Handle warning exit code 2 return by rdiff-backup version 2.2
- Pin version of selenium to v4.10
- Log detailed error message when restore command failed to help debugging
- Update interface used to manage users to be more user friendly #237
- Disable Disk Quota in users view when quota command is not configured #237
- Hide LDAP label in users view when LDAP is not configured #237
- Allow administrator to change user's reporting preferences
- Add support for Ubuntu Lunar
- Add support for SQLAlchemy v2.0 for forward compatibility
- When reaching 100% disk usage, show quota in red to improve visibility
- Send notification when user's quota reach 90% #46
- Add ratelimit to "send me a status report" to avoid email flooding #272 - credit to Nehal Pillai
- Fix creation of access token with expiration time #277
- Allow user to disable notification for selected day of week #278
- Add detailed file statistics to show created, modified and deleted files #103
- Trim spaces on verification code to improve usability #279
- Determine default username when user get redirected to login page #283
- Sort repository by dates in administration view #282
- Document how to configure fail2ban to improve server hardening
- Document how to configure certbot for automatic SSL certificate generation
- Update installation steps to include
arch=amd64
- Update french translation
- Fix encoding problem with older Outlook 2007 client #273
- Support Python 3.11
- Provide a Monthly, Weekly or Daily repport for user #71
- Fix MFA verification code email's subjet #270
- Add translation for footer not in email layout
- Send email to administrator when a new version is available #266
- Improve automatic testing
- Refused to start if
rdiff-backup
executable is not found #267
- Review the application layout to use Fluid container to use all the space available on the screen
- Rename status view to Dashboard
- Display more useful data in Dashboard view: Backups per days, Oldest backup, Storage Usage, Average duration, Least Active, Most active
- Fix deletion confirmation of repositories within subdirectory #250
- Properly clean-up plain text email from HTML tags
- Send notification for inactive backup based on statistics
- Send notification using a new template following the web interface branding
- Send notification to user when repository get added or removed
- Send all notification to an optional "catch-all" email address configured using
--email-catch-all
option #258 - Redistribute logos in PNG format for better compatibility
- Disable error page logs for 4xx errors
- Add username and IP address to logs only for HTTP Request
- Fix LDAP integration to support non-list attributes - credit to Shane Robinson
- Add support of multiple required-group for LDAP integration
- Improve System Logs view to identify "User Activity", "Threats" and "User Login"
- Fix display of "* minutes ago" #264
- Add
default-lang
option to configure default language #263 - Allow user to select a preferred language #263
- Use user's preferred language when sending notifications #263
- Support Setuptools v66 for compatibility with Debian Bookworm
- Fix execution of rdiffweb remove-older job to clean-up repository history #262
- Enforce SQLAlchemy version between 1.2 or 1.4
- Fixed display of Hamburger menu on mobiles (minarca#192)
- Change wording for interupted backup
- Fix loading of Charts in Status page
- Ensure Gmail and other mail client doesn't create hyperlink automatically for any nodification sent by Rdiffweb to avoid phishing - credit to Nehal Pillai
- Sent email notification to user when a new SSH Key get added - credit to Nehal Pillai
- Ratelimit "Resend code to my email" in Two-Factor Authentication view - credit to Nehal Pillai
- Username are not case-insensitive - credits to raiders0786
- Make sure that all ssh keys are unique, regardless of the user - credit to Nehal Pillai
- Disable translation caching
Breaking changes:
- Username with different cases (e.g.: admin vs Ammin) are not supported. If your database contains such username make sure to remove them before upgrading otherwise Rdiffweb will not start.
- Discard
X-Forwarded-Host
headers credit to Anishka Shukla - Create proper symbolic link of
chartkick.js
on Ubuntu Jammy to fix loading of Charts in web interface - Add CSRF verification on
/logout
credits to reza.duty
- Add support for WTForms v3 to support Debian Bookworm
- Fix strange behavior in access token management #247
- Block repository access when user_root directory is empty or relative path CVE-2022-4314 credit to neverjunior
- Replace admin password only when
--admin-password
option is provided #246 - Invalidate browser cache for
logo
,headerlogo
andfavicon
on restart #245
- Add support for Ubuntu Kinetic #240
- Disable filesize for deleted files to improve page loading #241
This next release focus on two-factor-authentication as a measure to increase security of user's account.
- Store User's session information into database
- Update ldap plugin to load additional attributes from LDAP server
- Improve
/status
page error handling whensession_statistics
cannot be read - Add support for Ubuntu Jammy
- Upgrade from Bootstrap v3 to v4 #204
- Replace Fontello by Font-Awesome v4
- Use CSS variables
var()
to customize themes using--branding-X
options #239 - Remove usage of Jquery.validate
- Replace custom timsort by jquery DataTables #205
- Add Active Session managements #203
- Active session should be visible in user's profiles
- Active session may be revoked by user
- Active session should be visible in administration view
- Action session may be revoke by administrator
- Show number of active users within the last 24 hours in dashboard
- Handle migration of older Rdiffweb database by adding the missing
repos.Encoding
,repos.keepdays
andusers.role
columns #185 - Replace deprecated references of
disutils.spawn.find_executable()
byshutil.which()
#208 - Add two-factor authentication with email verification #201
- Generate a new session on login and 2FA #220
- Enforce permission on /etc/rdiffweb configuration folder
- Enforce validation on fullname, username and email
- Limit incorrect attempts to change the user's password to prevent brute force attacks #225 CVE-2022-3273 credit to Nehal Pillai
- Enforce password policy new password cannot be set as new password CVE-2022-3376 credit to Nehal Pillai
- Enforce better rate limit on login, mfa, password change and API CVE-2022-3439 CVE-2022-3456 credit to Nehal Pillai
- Enforce 'Origin' validation CVE-2022-3457 credit to Nithissh12
- Define idle and absolute session timeout with agressive default to protect usage on public computer CVE-2022-3327 credit to Nehal Pillai
- Send email notification when enabling or disabling MFA CVE-2022-3363 credit to Nehal Pillai
- Use Argon2id to store password hash #231
- Fixed plugin priorities to ensure that jobs are scheduled at each startup #232
- Revoke previous user's sessions on password change CVE-2022-3362 credit to Nehal Pillai
Breaking changes:
- Drop Ubuntu Hirsute & Impish (End-of-life)
session-dir
is deprecated and should be replace byrate-limit-dir
. User's session are stored in database.- previous
.css
customization are not barkward compatible. Make usage of the--branding-X
options.
Thanks to Nehal Pillai with whom I collaborate to improve the security of this project.
This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
- Mitigate path traversal vulnerability CVE-2022-3389 credit to Hoang Van Hiep
This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
- Add
Cache-Control
and other security headers CVE-2022-3292 credit to Nehal Pillai - Enforce password policy using
password-score
based on zxcvbn CVE-2022-3326 credit to Nehal Pillai
This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
- Clean-up invalid path on error page
- Limit username field length CVE-2022-3290 credit to Nehal Pillai
- Limit user's email field length CVE-2022-3272 credit to Nehal Pillai
- Limit user's root directory field length CVE-2022-3295 credit to Nehal Pillai
- Limit SSH Key title field length CVE-2022-3298 credit to Nehal Pillai
This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
- Generate a new session on login and 2FA #220 CVE-2022-3269 credit to Ambadi MP
- Mitigate CSRF on user's settings #221 CVE-2022-3274 credit to irfansayyed
This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
- Support MarkupSafe<3 for Debian bookworm
- Mitigate CSRF on user's notification settings #216 CVE-2022-3233 credit to Ambadi MP
- Mitigate CSRF on repository settings #217 CVE-2022-3267 credit to irfansayyed
- Use 'Secure' Attribute with Sensitive Cookie in HTTPS Session on HTTP Error #218 CVE-2022-3174 credit to Chuu
This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
- Mitigate CSRF on repository deletion and user deletion CVE-2022-3232 #214 #215 credit to Ambadi MP
This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
- Use
X-Real-IP
to identify client IP address to mitigate Brute-Force attack #213
This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
- Mitigate CSRF in profile's SSH Keys CVE-2022-3221 #212 credit to Ambadi MP
This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
- Use 'Secure' Attribute with Sensitive Cookie in HTTPS Session. CVE-2022-3174 #209 credit to Chuu
- Avoid leakage of the stack trace in the default error page. CVE-2022-3175 #210 credit to Chuu
- Enforce minimum and maximum password length CVE-2022-3175 #211 credit to Chuu
This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
- Add Clickjacking Defense CVE-2022-3167 credit to tharunavula
- Drop Ubuntu Hirsute & Impish (End-of-life)
This new release brings a lot of improvement since the last version, multiple bug fixes to make the application stable. A couple of new features to improve the overall usability and a new security feature to block a brute force attack.
- Add RateLimit to login page and API to mitigate robots attacks #167
- Send email notification only if
email-sender
option is defined to avoid raising exception in logs #176 - Support file restore cancellation without leaving
rdiffweb-restore
process in<defunct>
state #174 - Replace
python-ldap
byldap3
a pure python implementation to avoid dependencies onsasl
andldap
binaries #186 - Reffactor core module to allow better extendability and reusability #183
- Add support for Debian Bookworm #180
- Add support for Ubuntu Impish #175
- Add rdiff-backup version to administration view
- Run unit test during Debian build package
- Refresh repository list automatically when required #188 #189
- Fix error 500 displayed in status page #191
- Improve repository browsing speed by minimizing the number of I/O call #192
- Publish Docker image directly to DockerHub #144
- Add REST API to manage sshkeys
Breaking changes:
- Ldap Password changes is not supported anymore.
- Ldap Check Shadow expire config is not supported anymore. It should be replace by a custom filter.
- Drop CentOS 7 and CentOS 8 support
Maintenance release to fix minor issues
- Improve date parsing for
backup.log
to avoid printing exception in logs #170 - Return HTTP error 403 for invalid symlink to avoid returning a misleading HTTP 500 Server Error #168
- Show a user friendly error message when trying to create a new user with an existing username #169
- Handle repository without last-backup date during the notification process to ensure notifications are sent #171
- Replace CherryPy
storage_type
bystorage_class
to avoid warning in logs - Update code to avoid deprecation warning where applicable
- Add Flake8 validation to improve code quality
- Remove Ubuntu Groovy support
- Push all artefacts to nexus server including binaries and documentation
- Fix
Chart.js
loading on Debian bullseye #164 - Update installation steps documentation
- Improve LDAP authentication to lookup entire directory
- Fix usage of
--ldap-add-user-default-userroot
to avoid error related to wrong encoding - Improve authentication mechanics
- Avoid raising an HTTP error 500 when login form receive invalid payload
- Mitigate open redirect vulnerability in login form
- To avoid backward compatibility issue, revert CSRF Token validation
- Mitigate CSRF vulnerability using cookies with
SameSite=Lax
- Mitigate CSRF vulnerability by validating the
Origin
header when a form is submited - Improve usage of WTForm for all form validation
- Update installation stepd for debian #162
- Build Ubuntu packages and publish them to our APT repo
- Broken build
- Mitigate CSRF vulnerability to user, ssh and repo management with CSRF Token
- Skip email notification if
email-host
configuration is not provided #157 - Skip email notification when the new attribute value has the same value #159
- USE LDAP
mail
attribute when creating new user from LDAP directory #156
- Provide a new theme
blue
to match IKUS Soft colors #158
- Automatically update user's repository list based on user's home directory
- Update default
session-dir
location to/var/lib/rdiffweb/session
to avoid using/var/run
#148
- Improve timezone handling to display date with local timezone using javascript #143
- Improve charts by replacing d3js by chartkick #122
- Replace the status view by something meaningful with chartkick #122
- Provide Docker image with Rdiffweb
docker pull ikus060/rdiffweb
#55 - Fix file and folder sorting #143
- Debian package:
- Add rdiff-backup as dependencies to comply with Debian packaging rules
- Multiple other fixed to control files
- Use debhelper-compat (= 13)
- Use debhelper-compat (= 13)
- Run test during packaging
- Create default folder
/var/run/rdiffweb/sessions
to store user session
- Use ConfigArgPare for configuration to support configuration file, environment variables and arguments to configure rdiffweb #114
- Fix cache in localization module
- Add
ldap-add-default-role
andldap-add-default-userroot
option to define default value for role and user root when creating user from LDAP #125 - Support PostgreSQL database by replacing our storage layer by SQLAlchemy #126
- Fix to retrieve user quota only for valid user_root #135
- Add option
disable-ssh-keys
to disable SSH Key management - Use absolute URL everywhere
- Add support for
X-Forwarded-For
,X-Forwarded-proto
and other reverse proxy header when generating absolute URL - Drop Debian Stretch support
- Implement a new background scheduler using apscheduler #82
- Use background job to send email notification to avoid blocking web page loading #47
- Use background job to delete repository to avoid blocking web page loading #48
- Allow deleting a specific file or folder from the history using
rdiff-backup-delete
#128 - Improve support for
session-dir
#131 - Add option
admin-password
to define administrator password for better security - Improve performance of repository browsing
- Add a new view to display logs of a specific repository
- Allow downloading the log
- Define a default limit to graph statistics to make it display faster
- Fix
get-quota-cmd
option to properly return a value
- Debian package: Remove dh-systemd from Debian build dependencies (https://bugs.debian.org/871312we)
- Improve Quota management:
QuotaSetCmd
,QuotaGetCmd
andQuotaUsedCmd
options could be used to customize how to set the quota for your environment.- Display user's quota in User View
- Display user's quota in Admin View
- Allow admin to update user quota from Admin View when
QuotaSetCmd
is defined. - Allow admin to define user quota using human readable value (e.g.: GiB, TiB, etc.)
- Improve logging around quota management
- Improve robustness when service is starting
- Improve robustness when repository has wrong permission defined (e.g.: when some files not readable)
- Add user id in Admin view
- Replace
UserObject(1)
by the actual username in log file to improve debugging
- Re-implement logic to update repositories views to remove duplicates and avoid nesting repo. #107
- Handle elapsed time of days in the graph. Thanks Nathaniel van Diepen contributions.
- Rebrand all link to ikus-soft.com
- Update documentation to install rdiffweb
- Remove obsolete minify dependency
- Drop support for python2
- Provide null translation if translation catalogues are not found
- Pass a LANG environment variable to rdiff-backup restore process to fix encoding issue #112
- Remove obsolete python shebang
- Remove execution bit (+x) on python modules
- Provide
--help
and--version
onrdiffweb
executable - Improve cherrypy version detection
- Do not update translation files (.mo) during build
This minor release introduce official support of rdiffweb on Debian Bullseye. It also includes some usability improvements.
- Change formatting of Last Backup date for "Updated 3 weeks ago" to ease the readability
- Add support for Debian Bullseye
- Add support for Python 3.8 (#104)
- Add warning in the users list view when a root directory is invalid (#30)
- Add options to control search depthness (#1)
- Print a warning in the log when the "DefaultTheme" value is not valid (#90)
Thanks to our sponsor, this release introduce a feature to have better control over the user's permission by defining 3 different levels of privilege: Admin, Maintainer and User. This addition allows you to have better control on what your users can or can't do.
- Fix single repository discovery when a user's home is a rdiff-backup repository
- [SPONSORED] Add a new setting at the user level to define the user's role. Admin, Maintainer and User. Admin are allowed to do everything. Maintainer are allow to browse and delete repo. Users are only allowed to browse. #94
- Add "Powered by" in the web interface footer #91
- Display a nice error message when trying to delete admin user #93
- Introduce usage of wtforms and flash in admin users for better form validation. #96 #97
- Update French translation
This minor releases fixed issues found while testing release 1.3.0.
- Fix lookup of executable rdiff-backup and rdiffweb-restore to search in current virtualenv first
- Fix repository view when multiple repo path are conflicting
- Fix logging of rdiffweb-restore subprocess
This minor release enforces security of the password stored in rdiffweb database to make use of a better encryption using SSHA. Only new passwords will make use of the SSHA scheme.
- Enforce password encryption by using SSHA scheme #88
This release focuses on improving the restore of big archives. The download should be much faster to start. Major enhancement was made to offload the processing outside the web server. And all of this is still compatible with rdiff-backup v1.2.8 and the latest v2.0.0.
- Restore file and folder in a subprocess to make the download start faster
- Fix encoding of archive on Python3.6 (CentOS 7) by using PAX format
- Add support to restore files and folders using rdiff-backup2
- Remove obsolete dependencies
pysqlite2
- Fix issue creating duplicate entries of repository in the database
This release provides little improvement to the v1.2.x including official support of rdiff-backup v2.0.0.
- Enhance the repository to invite users to refresh the repository when the view is empty.
- Support rdiff-backup v2.0.0
- Deprecate support for cherrypy 4, 5, 6 and 7
- Improve loading of repository data (cache status and entries)
- Restore compatibility with SQLite 3.7 (CentOS7)
Known issues:
- Filename encoding in tar.gz and zip file might not be accurate if you are running Python 3.6 (CentOS7)
Little bug fix following the previous release
- Fix 404 error when trying to access other users repo as admin
- Fix logging format for cherrypy logs to matches rdiffweb format
- Add log rotation by default
This release focus on improving the database layers for better extendability to add more type of data and to support more databases backend like postgresql in the near future.
- Add explicit testing for Debian Stretch & Buster
- Change the persistence layers
- Minimize number of SQL queries
- Add object lazy loading
- Add object data caching
- Fix bugs with SQLite <= 3.16 (Debian Stretch)
This release focus on improving the admin area and building the fundation for repository access control list (ACL).
- Update documentation from PDSL web site
- Improve the navigation bar layout
- Update the login page headline
- Update jinja2 version to allow 2.10.x
- Show server log in admin area
- Reduce code smell
- Add System information in admin area
- Validate credential using local database before LDAP
- Reffactoring templates macros
- Enhance user's view search bar
- Change repository URL to username/repopath
- Add System information in admin area
- Improve testcases
- Clean-up obsolete code
- Fix issue with captital case encoding name
- Fix compilation of less files
- Fix google font import
- Removing the auto update repos
- Create "admin" user if missing
- Update french translation
- Update installation documentation
- Fix removal of SSH Key
- Return meaningful error to the user trying to add an existing SSH key
- Make repository removal more robust
- Improve performance of librdiff
- Add new RESTful api
- Return the right HTTP 401 or 402 error code for authentication
- Fix bug introduce by upgrade to Jinja2 + python3
- Store ssh keys in database and disk
- Add support for theme (default, orange)
- Remove deprecated profiling code
- Add disk usage support / quota
- Add support of cherrypy v18
- Drop support of cherrypy v3.2.2
- Add wsgi entry point
- Replace the plugins architecture to ease implementation
- Numerous bug fixes
- Better error handling when error.log file are not valid gzip file