Hi,
I’ve set up Urbackup to back up my linux clients and linux servers. Almost everything works flawlessly. One of the servers, however, has some issues.
My set up is a bit special because the server that should be backed up is also running the nginx reverse proxy for urbackup.
The server also has a physical and a virtual network interface in two different VLANs.
Server:
Debian Buster
Physical (untagged) network interface: 192.168.1.10
Virtual (tagged) interface: 192.168.2.10 (just informational, should be irrelevant in this regard)
Proxies ports 55414 and 55413 to urbackup server.
Nginx config (left out irrelevant parts and my domain name):
server {
listen 192.168.1.10:443 ssl http2;
server_name urbackup.domain.ch;
location / {
proxy_pass http://mnemosyne.domain.ch:55414; #This is the urbackup server
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
proxy_request_buffering off;
proxy_buffering off;
}
location /x {
include /etc/nginx/fastcgi_params;
fastcgi_pass mnemosyne.domain.ch:55413; #Also the urbackup server
}
ssl_certificate /etc/ssl/domain.ch/domain.ch.fullchain;
ssl_certificate_key /etc/ssl/domain.ch/domain.ch.key;
#include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
include /etc/nginx/conf.d/expires.global;
}
nftables on the server to be backed up:
Since this wasn’t working correctly i basically tried to completely except the urbackup server but it didn’t really work. That’s why there is this outgoing exception and the exception for the address.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set tcp_accepted {
type inet_service; flags interval;
elements = {
ssh,
80,
443,
35621, #Urbackup
35623, #Urbackup
}
}
set udp_accepted {
type inet_service; flags interval;
elements = {
35622, #Urbackup
}
}
chain base_checks {
# allow established/related connections
ct state {established, related} accept
# early drop of invalid connections
ct state invalid drop
}
chain input { #This chain serves as a dispatcher
type filter hook input priority 0;
jump base_checks
#allow from localhost
ip saddr 127.0.0.1 accept
#allow from loopback
iifname lo accept
#allow from mnemosyne (backup)
ip saddr 192.168.1.7 accept
#check from which VLAN it came in and apply different rules
iifname enp1s0 jump input_enp1s0 #for internal traffic
iifname enp1s0.2 jump input_enp1s0.2 #for DMZ traffic
# allow icmp
ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept
# count and drop any other traffic
counter drop
}
chain input_enp1s0 {
#allowed ports tcp (see tcp_accepted)
tcp dport @tcp_accepted accept
#allowed ports udp (see udp accepted)
udp dport @udp_accepted accept
}
chain input_enp1s0.2 {
#allow http/https in dmz
tcp dport { 80, 443 } accept
}
chain forward {
type filter hook forward priority 0;
policy accept;
}
chain output {
type filter hook output priority 0;
udp dport 35623 accept;
policy accept;
}
}
The urbackup client logfiles
2021-01-05 08:57:23: WARNING: Shutting down (Signal 15)
2021-01-05 08:57:23: ERROR: urbackupserver: Failed binding ipv6 socket to port 35623. Another i
nstance of this application may already be active and bound to this port.
There is no IPv6 active on this server so this shouldn’t be an issue.
Here is also the nftables of the backupserver:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set tcp_accepted {
type inet_service; flags interval;
elements = {
ssh,
55415, # internet clients
}
}
set udp_accepted {
type inet_service; flags interval;
elements = {
35623,
}
}
chain base_checks {
# allow established/related connections
ct state {established, related} accept
# early drop of invalid connections
ct state invalid drop
}
chain input {
type filter hook input priority 0;
jump base_checks
#allow from localhost
ip saddr 127.0.0.1 accept
iifname lo accept
#allowed ports tcp (see tcp_accepted)
tcp dport @tcp_accepted accept
#allow proxying from atlas
ip saddr 192.168.1.10 tcp dport { 55413, 55414 } accept
#allowed ports udp (see udp accepted)
udp dport @udp_accepted accept
# allow icmp
ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept
# count and drop any other traffic
counter drop
}
chain forward {
type filter hook forward priority 0;
policy accept;
}
chain output {
type filter hook output priority 0;
policy accept;
}
}
The urbackup server didn’t even find the client in the first place. I had to add it as an internet / NAT client. Then it shows online but when you try to start a backup it queues the backup and then fails with this log on the server side:
2021-01-05 09:01:46: ERROR: Connecting to ClientService of "atlas.domain.ch" failed: Sending version to client failed
2021-01-05 09:01:56: WARNING: Connecting to ClientService of "atlas.domain.ch" failed: Sending logdata to client failed
2021-01-05 09:02:06: WARNING: Connecting to ClientService of "atlas.domain.ch" failed: Sending logdata to client failed
2021-01-05 09:02:16: WARNING: Connecting to ClientService of "atlas.domain.ch" failed: Sending logdata to client failed
2021-01-05 09:02:26: WARNING: Connecting to ClientService of "atlas.domain.ch" failed: Sending logdata to client failed
2021-01-05 09:02:36: ERROR: Connecting to ClientService of "atlas.domain.ch" failed - CONNECT error during filelist construction
2021-01-05 09:02:46: ERROR: Backup had an early error. Deleting partial backup.
2021-01-05 09:04:06: ERROR: Connecting to ClientService of "atlas.domain.ch" failed: Error sending client access key
2021-01-05 09:04:06: WARNING: Exponential backoff: Waiting at least 40m before next file backup
There is no log on the client.
Thank you all in advance for your help.