Backup over HTTPS


Would it be possible to have the backup data send over the same port as the web interface?
Preferrably it should be able to work even when used behind apache / nginx reverse proxy (for HTTPS).

This would allow clients to create backups even when they are behind strictly firewalled networks (which is happening more often these days)


Just go to the Web GUI, on Settings | Internet and change the value for “Internet server port:”
I have 443 on mine and works great (several mobile clients across US, pointing to a server in Virginia)


The problem is that the web interface is already published (through Nginx) on port 443.
So I would need to use a second ip only for the backup.

Adding to that, HTTPS filtering won’t know what to do with the data, since it’s using port 443, but isn’t web traffic, it will be blocked most of the times.


That sounds more challenging.
I also work with F5 Load Balancers, they let you discriminate streams by inspecting the incoming traffic, (looking at HTTP headers etc) , so you can create rules that send each incoming connection to different pools of servers or different TCP/UDP ports on the same server. So basically you can have UrBackup client using port 443 even if that port is used for the GUI on the server, then if the user browse the GUI or the client is sending backups, they will go both to 443 but the balancer will discriminate the traffic.
Im pretty sure Nginx can do the same.
You could use multiple public IPs as well, one for GUI and one for backup traffic.
The second part, if you are concerned that the traffic will be filtered on origin no matter what because it doesnt look like HTTP, then thats a separate issue, UrBackup would have to be changed to use SSL or you would have to tunnel the traffic at the source, but again, if you are on a highly controlled environment at origin, tunneling might not be allowed either, even if is SSL VPN.

I’d actually implement HTTPS CONNECT tunneling ( ). Something like htproxy or apache should support that.

If you use an IDS system that wants unencrypted data you’d have to disable internet client encryption and rely on the HTTPS (SSL) encryption.

1 Like

And wouldn’t the HTTP tunneling without using CONNECT work? That way it’s general HTTP(s) traffic, and wouldn’t be blocked? ( )

Or maybe the urbackup client could post the data itself to the urbackupsrv website, without some tunneling code in between?

To be honest, until now I haven’t had issues with the custom port. Just asking to allow it to a certain IP always worked.
But I have more and more students whose laptops are being backed up. And they use the networks of their campusses. Don’t think asking them to open up a port would work. Afaik they don’t scan HTTPS traffic, but that time might come, and I would prefer a solution that not only works now, but also in the future.

Idk, it would be less efficient as it needs two connections per one real connection (one for up one for down). Would be easier to setup though and it would be able to punch through the Great Firewall of China, I guess.

I’ve read a port here by XiteHosting, regarding hosting on port 443. You could use name based virtual hosts and have multiple hostnames on the same IP Address, each using port 443 for their own web sites.

manuel2002m, beware that just moving the site to port 443 does not encrypt the session, you need to change the protocols in use to HTTP/SSL protocol to encrypt the traffic.