Automated config backups for FortiGate, Cisco, Juniper, Palo Alto, Brocade & Extreme — with a clean web UI, diff viewer, scheduling, and Docker deployment in minutes.
A free alternative to RANCID, Oxidized, and SolarWinds NCM.
ConfigBox aims to make network configuration backups straightforward for small to mid-sized teams: a single Docker command to deploy, a clean web UI everyone on the team can use, built-in 2FA, email alerts, and S3/Google Drive sync — all free and open-source. Your configs stay on your infrastructure.
| Vendor | Protocol | Detail |
|---|---|---|
| FortiGate | REST API | Config backup via /api/v2/monitor/system/config/backup |
| Juniper | SSH | `show configuration |
| Cisco (IOS/NX-OS/ASA) | SSH | show running-config |
| Brocade (VDX/ICX/MLX) | SSH | `show running-config |
| Extreme Networks (SLX) | SSH | `show running-config |
| Palo Alto | PAN-OS XML API | Config export via XML API |
- Automated scheduled backups — cron-based, per-device schedules
- One-click manual backup from the dashboard
- Built-in config diff — compare any two backups side-by-side
- Remote backup to S3-compatible storage (AWS, MinIO, R2, B2) or Google Drive
- Automatic archival — gzip compression of old backups to save disk
- Plain file storage — even if the app stops, configs are readable in
backups/ - CSV bulk import — onboard hundreds of devices in seconds
- Clone devices — duplicate an existing device's settings & credentials in one click
- Two-factor authentication (TOTP) for all users
- AES-256-CBC encrypted credentials (API tokens, SSH passwords, SMTP)
- Role-based access control (Admin / Backup Admin)
- Comprehensive audit log — every action tracked with user, IP, timestamp
- Rate limiting on auth endpoints and downloads
- Single-use download tokens — backup files cannot be re-fetched with a leaked URL
- SSRF / gzip-bomb / path-traversal protection
- Dashboard with statistics, trend charts, recent activity
- Email notifications — success / failure / config change / daily summary
- Batched summary emails — multiple backup results within a 3-minute window are combined into one email instead of N
- Config change emails include the diff — see exactly what changed without opening the dashboard
- Smart noise filtering — timestamps and other auto-changing lines are ignored, no false-positive alerts
- Location-based device grouping with filtering
- Vendor + location filters on the device list
- Multi-vendor support — FortiGate, Cisco (IOS/NX-OS/ASA), Juniper, Palo Alto, Brocade, Extreme
- Legacy device compatibility — automatic openssh fallback for older SSH servers
- Dark mode / light mode
- Multi-language UI — English & Turkish
- Modern web UI built with React + Tailwind
- Lightweight — single Go binary, slim Docker image
- Self-hosted — your configs never leave your infrastructure
- Docker & Docker Compose
git clone https://github.com/yunuskargi/configbox.git
cd configboxcp .env.example .env
# Change the JWT_SECRET value in .env!docker compose up -dThe application will be available at http://localhost:6161.
- Username:
admin - Password:
admin
It is recommended to change your password after first login.
# Reset a user's password
docker compose exec backend /configbox reset-password <username> <new-password>backups/
├── fortigate/
│ └── device-name/
│ ├── 2024-01-15_020000.conf
│ └── 2024-01-16_020000.conf
├── juniper/
├── cisco/
├── brocade/
├── extreme/
└── paloalto/
ConfigBox can automatically upload a copy of each backup to S3-compatible storage (AWS, MinIO, Cloudflare R2, Backblaze B2) or Google Drive. Configure via Settings → Remote Backup in the web UI — setup guides are included.
| Component | Technology |
|---|---|
| Backend | Go (Chi router, sqlx, golang.org/x/crypto/ssh) |
| Frontend | React + Vite |
| Database | SQLite (WAL mode) |
| Auth | JWT + bcrypt + TOTP |
| Encryption | AES-256-CBC |
| Scheduler | robfig/cron |
Your data is safe during updates:
- Database → stored in Docker named volume
db-data, persists across container rebuilds - Config backups → stored in
./backupsbind mount on your host, untouched during updates - Schema → uses
CREATE TABLE IF NOT EXISTS, no manual migration needed
cd configbox
# Pull latest source
git pull
# Rebuild and restart (containers are recreated automatically, data is preserved)
docker compose up -d --buildDo NOT change
JWT_SECRETin.envafter initial setup. All device credentials (API tokens, SSH passwords) are encrypted with this key. Changing it will make existing credentials unreadable — you would need to re-enter all device passwords.
Do NOT delete the
db-dataDocker volume. It contains your SQLite database with all devices, users, backup history, and settings. If you need to check:docker volume ls | grep db-data
Backup your
.envfile before updating. If you accidentally lose it, you lose yourJWT_SECRETand encrypted credentials cannot be recovered.
- Default login is
admin/admin— you will be asked to change it on first login - All credentials (device passwords, API keys, SMTP) are encrypted in the database
- If you expose ConfigBox to the internet, put a reverse proxy with SSL in front (nginx, Traefik, Caddy)
- See
.env.examplefor optional settings likeENCRYPTION_KEY,TRUSTED_PROXY, andFORCE_HTTPS
This project is licensed under AGPL-3.0.
Pull requests and issues are welcome. For major changes, please open an issue first.
