Duplicacy Web currently logs the client IP in the following way whenever the login fails:
“2022/05/09 17:02:00 Incorrect admin password from [IP]:[PORT]: derived token is [token1], admin token is [token2]”
However, I run Duplicacy Web behind a reverse proxy. So the logged IP is the address of the reverse proxy. This is fine but I would also like to have the IP of the real client. I believe this can be obtained from X-Forwarded-For or X-Real-IP HTTP header.
A side note, I would not expose duplicacy web interface to anything but localhost as of today.
At least not until everything discussed here
Web-UI security: HTTPS, sessions, and logout button is done.
Exposing the web interface only on localhost is not very convenient when it is running on a headless server.
The link you posted seems to contain old information. There is a logout button already and I can’t access the web UI from another session when I’m logged in. I have Traefik terminating HTTPS with a Let’s Encrypt certificate so I believe this setup should be fairly secure.
If the real client IP was also logged on failed login, I could also setup Fail2ban.