Solved Rsync Daemon Encryption SSH or HAProxy SSL FROM Synology or QNAP

mayers · Dec 4, 2023

I setup a server with rsync daemon. I'm trying to activate SSL Encryption which according to the documentation can be achieved by using a reverse proxy such as HAProxy. If I configure HAProxy without certificate it works perfectly if I insert the certificate as per the rsyncd man page configuration. I get this looping error "rsync error: error in socket IO (code 10) at clientname.c(326) [Receiver=3.2.7]" I haven't found much configuration regarding using SSL

HAProxy Config

global
daemon
maxconn 4096

frontend fe_rsync
bind *:874 ssl crt /root/certificate/rsyncd.pem
mode tcp
use_backend be_rsync

backend be_rsync
mode tcp
server localhost 127.0.0.1:873 check send-proxy

junkyalleycat · Dec 5, 2023

I've only ever run rsync over ssh, but rsync does come with rsync-ssl, maybe you need to use that? Can't tell much more than that since I've never used it.

mayers · Dec 5, 2023

Hi, thanks in the meantime. I'm trying to set up an Rsyn server with Rsyncd daemon. Basically a backup repository. The backup is still launched from n° nas via backup. I would have liked to enable encryption with ssl. From the rsyncd documentation it is possible to do it via Reverse proxy "haproxy" "nginix" example but I haven't found much documentation apart from the classic examples. I can't figure out how to run rsyncd via ssh.

mayers · Jan 3, 2024

I solved it after several attempts and various readings. I don't use Haproxy but SSH. It is sufficient to install rsync on the destination server. create an ssh user and insert the rsyncd.conf file with the backup path into the ssh login root. At this point the NAS, in this case, Synology connects, authenticates and launches an rsync using the configuration of the file found in the root.

mayers · Jan 5, 2024

This is a basic configuration to /home/%user%/rsyncd.conf

max connections = 4
log file = /home/%user%/rsync.log
lock file = /home/%user%/rsyncd.lock
motd file = /home/%user%/motd-rsync
timeout = 300
#CONFIGURATION LOG RSYSLOG
syslog facility = local5
transfer logging = yes
syslog tag = rsyncd.%RSYNC_USER_NAME%
#MAX VERBOSITY LOG
max-verbosity 4

[NetBackup]
path = /%%path to backup %%%/
comment = Network Backup Share
use chroot = no
read only = no
list = yes
charset = utf-8

junkyalleycat · Jan 5, 2024

neat, is the reason you are using rsyncd configs for logging? asking because i've never had a need to, i just let rsync handle everything over ssh without worrying about rsyncd and configuration.

mayers · Jan 9, 2024

So I have the connection log and the file transfer log

mayers · Jan 11, 2024

I also carried out tests on QNAP where it is not possible to use rsync in daemon mode, the user must be able to access the machine in sh with a shell. I'm trying to lock the user with chroot with poor results. As soon as I succeed I'll update the post with the operations necessary for the configuration. However rsync allows you to synchronize one or more folders. It doesn't allow me to do an incremental backup, but for that it takes zfs snapshots.

However, I have a PAM connection error in authentication from QNAP and I had to enable PasswordAuthentication on SSH but I'm carrying out some tests

So I'll keep the post updated and hope it's useful

mayers · Jan 17, 2024

Hi, I've run a lot of tests with QNAP and I have to say that we're not quite there. QNAP doesn't allow me to take snapshots on FREEBSD via ssh and the rsync to ssh backup returns a lot of errors on the QNAP side. So I opted for 2 better solutions. 1. I connected QNAP in ISCSI to FREEBSD to make backups. 2, To create continuity of some services I connected the QNAP to FREEBSD in NFS and performed the rsync.

ScopeDog · Feb 23, 2024

I could set up rsyncd + SSL by following https://serverfault.com/questions/1104113/configuring-rsync-over-ssl/1105885#1105885 .
Accessing stunnel + rsynd with rsync-ssl worked fine with my FreeBSD hosts.
The only part I spent time for was:

Wrong: pid = /var/tmp/run/stunnel.pid
Correct: pid = /var/run/stunnel/stunnel.pid

in stunnel.conf.

However, my concern is 'Which is better, SSL or SSH?'. Some people say SSH is not good when many users concurrently rsync large files. But as long as SSL and SSH use similar encryption algorithms, I don't think there's a big difference with their CPU usages.

mayers · Feb 24, 2024

Hi, I carried out tests from a real Freebsd Synology Nas and Synology connects via ssh and once connected it launches rsync looking for the configuration file in the home of the user used for the connection. So you don't need to start Rsync as a daemon. QNAP Nas towards Freebsd instead, the service must be started as a daemon and PAM authentication disabled for the user used for the connection. It always depends on what you need to synchronize. I'm moving to ZFS replicas and snapshots obviously I have to have ZFS on both systems. Is the synchronization you need to perform locally or are they two remote systems? However, even in the case of remote systems, a VPN makes the traffic encrypted.

mayers · Mar 30, 2024

Hi all, I have successfully implemented haproxy towards rsyncd. with the following configuration

Code:

frontend fe_rsync
        bind %haproxy ip%:873
        mode tcp
        use_backend be_rsync

backend be_rsync
        mode tcp
        server rsyncd %rsyncd ip%:873 send-proxy-v2

By enabling the option

Code:

proxy protocol = true

It must be enabled in GLOBAL and not in MODULE everything works perfectly and the logs are written correctly with the IP address of the client and not of the haproxy