Multiple Users Backup to 3 Locations - Advice and best options

Greetings,

For the moment I have the following setup

Backup Protocol - Restic-server for speed

Locations for the servers : 3

1 high speed internet and 2 normal speed and different locations.

Clients :

around 50 , data between 5 - 80 GB / client
Data type : 1 folder with files and 1 mysql Database for each .

My questions are :

  1. How could I manage the best way on the restic-server side to protect each individual user ? I mean I don’t want user A to have access to userB and vice versa , do I use folder structure like /Backups/UserA and so on ? and I need to put the .htaccess password in the / or in each User folder ?

  2. In my case I need to define a backup template like 6 months retention for database and for files I guess we could go as well 6 months period . In the case of the database, do I need to specify the timestamp tag and file naming or I can just call it backup.sql and restic takes care of the rest ?

  3. What is the best way to backup the User data in terms of locations , can I set a backup to be done in the same time for all 3 locations or do I need to doit individually ?

  4. Can I backup let’s say Server1 (the fast one) to Server2 and Server3 ? , how should I do that for security purposes I’ll consider all 3 servers as insecure so if I backup my client A to Server 1 and then server 1 to server 2 and server 3, how the data will be on server 2 and 3 , re-encrypted from server 1 or original from Client A ?

I’m looking for the best option here and in the same time the safest option.

Thanks in advance

Hi @AurelianRQ,

  1. Please see the --private-repos argument to rest-server, it will allow you to have multiple users only getting access to their own individual repo by a subpath in the URL. In the folder that you tell rest-server to serve the repository from, you would have one subfolder per user. And yes, you need .htaccess in place (in that “root” folder) to define the passwords that clients connect to the rest-server with (not the same as their repository password).

  2. Not entirely sure what you mean here by “timestamp tag”. To clean out snapshots that are older than six months, you’d use for example the --keep-within=6m argument to the forget in restic - this is something that is done on the/a client (that client can run on the server where you run rest-server, but understand that you then need to provide the password for the repository you are forgetting in to/on the server, which might not be in line with your security policy). Please see https://restic.readthedocs.io/en/latest/060_forget.html#removing-snapshots-according-to-a-policy for more information. It might be better to use the other --keep-* arguments instead.

  3. You cannot do one backup run to multiple locations at the same time. You can either make one backup to a primary location and then clone that repository (the files that it’s made up of) to secondary locations, or you (which I recommend, especially since you don’t have much data to back up) simply run three separate backups, each to their own location/repository.

  4. If you want to back up clients only to Server1 and then “copy” the repositories from Server1 to Server2 and Server3, you’d simply clone/sync the repository files from that Server1 to the others. There’s no point in using e.g. restic to back those repositories up (with a new run of deduplication and encryption), you’d just sync the files. If you do it this way, the copies on Server2 and Server3 will be identical to the copy on Server1.