bin/pveproxy

   1 #!/usr/bin/perl -T -w
   2
   3 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
   4
   5 delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
   6
   7 use strict;
   8 use English;
   9 use Getopt::Long;
  10 use POSIX ":sys_wait_h";
  11 use Socket;
  12 use IO::Socket::INET;
  13 use PVE::SafeSyslog;
  14 use PVE::APIDaemon;
  15 use HTTP::Response;
  16 use Encode;
  17 use URI;
  18 use URI::QueryParam;
  19 use File::Find;
  20 use Data::Dumper;
  21
  22 my $pidfile = "/var/run/pveproxy/pveproxy.pid";
  23 my $lockfile = "/var/lock/pveproxy.lck";
  24
  25 my $opt_debug;
  26
  27 initlog ('pveproxy');
  28
  29 if (!GetOptions ('debug' => \$opt_debug)) {
  30     die "usage: $0 [--debug]\n";
  31 }
  32
  33 $SIG{'__WARN__'} = sub {
  34     my $err = $@;
  35     my $t = $_[0];
  36     chomp $t;
  37     syslog('warning', "WARNING: %s", $t);
  38     $@ = $err;
  39 };
  40
  41 $0 = "pveproxy";
  42
  43 # run as www-data
  44 my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
  45 POSIX::setgid($gid) || die "setgid $gid failed - $!\n";
  46 $EGID = "$gid $gid"; # this calls setgroups
  47 my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n";
  48 POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
  49
  50 # just to be sure
  51 die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
  52
  53 my $proxyconf = PVE::APIDaemon::read_proxy_config();
  54
  55 sub add_dirs {
  56     my ($result_hash, $alias, $subdir) = @_;
  57
  58     $result_hash->{$alias} = $subdir;
  59
  60     my $wanted = sub {
  61         my $dir = $File::Find::dir;
  62         if ($dir =~m!^$subdir(.*)$!) {
  63             my $name = "$alias$1/";
  64             $result_hash->{$name} = "$dir/";
  65         }
  66     };
  67
  68     find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir);
  69 }
  70
  71 my $cpid;
  72 my $daemon;
  73 eval {
  74
  75     my $dirs = {};
  76
  77     add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/');
  78     add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/');
  79     add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/');
  80     add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/');
  81
  82     $daemon = PVE::APIDaemon->new(
  83         port => 8006,
  84         keep_alive => 100,
  85         max_conn => 500,
  86         max_requests => 1000,
  87         debug => $opt_debug,
  88         allow_from => $proxyconf->{ALLOW_FROM},
  89         deny_from => $proxyconf->{DENY_FROM},
  90         policy => $proxyconf->{POLICY},
  91         trusted_env => 0, # not trusted, anyone can connect
  92         logfile => '/var/log/pveproxy/access.log',
  93         lockfile => $lockfile,
  94         ssl => {
  95             cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
  96             key_file => '/etc/pve/local/pve-ssl.key',
  97             cert_file => '/etc/pve/local/pve-ssl.pem',
  98         },
  99         # Note: there is no authentication for those pages and dirs!
 100         pages => {
 101             '/' => \&get_index,
 102             # avoid authentication when accessing favicon
 103             '/favicon.ico' => {
 104                 file => '/usr/share/pve-manager/images/favicon.ico',
 105             },
 106         },
 107         dirs => $dirs,
 108     );
 109 };
 110
 111 my $err = $@;
 112
 113 if ($err) {
 114     syslog ('err' , "unable to start server: $err");
 115     print STDERR $err;
 116     exit (-1);
 117 }
 118
 119
 120 if ($opt_debug || !($cpid = fork ())) {
 121
 122     $SIG{PIPE} = 'IGNORE';
 123     $SIG{INT} = 'IGNORE' if !$opt_debug;
 124
 125     $SIG{TERM} = $SIG{QUIT} = sub {
 126         syslog ('info' , "server closing");
 127
 128         $SIG{INT} = 'DEFAULT';
 129
 130         unlink "$pidfile" if !$opt_debug;
 131
 132         exit (0);
 133     };
 134
 135     syslog ('info' , "starting server");
 136
 137     if (!$opt_debug) {
 138         # redirect STDIN/STDOUT/SDTERR to /dev/null
 139         open STDIN,  '</dev/null' || die "can't read /dev/null  [$!]";
 140         open STDOUT, '>/dev/null' || die "can't write /dev/null [$!]";
 141         open STDERR, '>&STDOUT' || die "can't open STDERR to STDOUT [$!]";
 142     }
 143
 144     POSIX::setsid();
 145
 146     eval {
 147         $daemon->start_server();
 148     };
 149     my $err = $@;
 150
 151     if ($err) {
 152         syslog ('err' , "unexpected server error: $err");
 153         print STDERR $err if $opt_debug;
 154         exit (-1);
 155     }
 156
 157 } else {
 158
 159     open (PIDFILE, ">$pidfile") ||
 160         die "cant write '$pidfile' - $! :ERROR";
 161     print PIDFILE "$cpid\n";
 162     close (PIDFILE) ||
 163         die "cant write '$pidfile' - $! :ERROR";
 164 }
 165
 166 exit (0);
 167
 168 # NOTE: Requests to those pages are not authenticated
 169 # so we must be very careful here
 170
 171 sub get_index {
 172     my ($server, $r, $args) = @_;
 173
 174     my $lang = 'en';
 175     my $username;
 176     my $token = 'null';
 177
 178     if (my $cookie = $r->header('Cookie')) {
 179         if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) {
 180             if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) {
 181                 $lang = $newlang;
 182             }
 183         }
 184         my $ticket = PVE::REST::extract_auth_cookie($cookie);
 185         if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) {
 186             $token = PVE::AccessControl::assemble_csrf_prevention_token($username);
 187         }
 188     }
 189
 190     my $workspace = defined($args->{console}) ?
 191         "PVE.ConsoleWorkspace" : "PVE.StdWorkspace";
 192
 193     $username = '' if !$username;
 194
 195     my $jssrc = <<_EOJS;
 196 if (!PVE) PVE = {};
 197 PVE.UserName = '$username';
 198 PVE.CSRFPreventionToken = '$token';
 199 _EOJS
 200
 201     my $langfile = "/usr/share/pve-manager/ext4/locale/ext-lang-${lang}.js";
 202     $jssrc .= PVE::Tools::file_get_contents($langfile) if -f $langfile;
 203
 204     my $i18nsrc;
 205     $langfile = "/usr/share/pve-manager/root/pve-lang-${lang}.js";
 206     if (-f $langfile) {
 207         $i18nsrc = PVE::Tools::file_get_contents($langfile);
 208     } else {
 209         $i18nsrc = 'function gettext(buf) { return buf; }';
 210     }
 211
 212     $jssrc .= <<_EOJS;
 213
 214 // we need this (the java applet ignores the zindex)
 215 Ext.useShims = true;
 216
 217 Ext.History.fieldid = 'x-history-field';
 218
 219 Ext.onReady(function() { Ext.create('$workspace');});
 220
 221 _EOJS
 222
 223     my $page = <<_EOD;
 224 <html>
 225   <head>
 226     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 227
 228     <title>Proxmox Virtual Environment</title>
 229
 230     <link rel="stylesheet" type="text/css" href="/pve2/ext4/resources/css/ext-all.css" />
 231     <link rel="stylesheet" type="text/css" href="/pve2/css/ext-pve.css" />
 232
 233     <script type="text/javascript">$i18nsrc</script>
 234     <script type="text/javascript" src="/pve2/ext4/ext-all-debug.js"></script>
 235     <script type="text/javascript" src="/pve2/ext4/pvemanagerlib.js"></script>
 236     <script type="text/javascript">$jssrc</script>
 237
 238   </head>
 239   <body>
 240     <!-- Fields required for history management -->
 241     <form id="history-form" class="x-hidden">
 242     <input type="hidden" id="x-history-field"/>
 243     </form>
 244   </body>
 245 </html>
 246 _EOD
 247
 248     my $resp = HTTP::Response->new(200, "OK", undef, $page);
 249
 250     return $resp;
 251 }
 252
 253 __END__
 254
 255 =head1 NAME
 256
 257 pveproxy - the PVE API proxy server
 258
 259 =head1 SYNOPSIS
 260
 261 pveproxy [--debug]
 262
 263 =head1 DESCRIPTION
 264
 265 This is the REST API proxy server, listening on port 8006. This is usually started
 266 as service using:
 267
 268  # service pveproxy start
 269
 270 =head1 Host based access control
 271
 272 It is possible to configure apache2 like access control lists. Values are read
 273 from file /etc/default/pveproxy. For example:
 274
 275  ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
 276  DENY_FROM="all"
 277  POLICY="allow"
 278
 279 IP addresses can be specified using any syntax understoop by Net::IP. The
 280 name 'all' is an alias for '0/0'.
 281
 282 The default policy is 'allow'.
 283
 284  Match                      | POLICY=deny | POLICY=allow
 285  ---------------------------|-------------|------------
 286  Match Allow only           | allow       | allow
 287  Match Deny only            | deny        | deny
 288  No match                   | deny        | allow
 289  Match Both Allow & Deny    | deny        | allow
 290
 291 =head1 SSL Cipher Suite
 292
 293 You can define the chiper list in /etc/default/pveproxy, for example
 294
 295  CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
 296
 297 Above is the default. See the ciphers(1) man page from the openssl
 298 package for list of all available options.
 299
 300 =head1 FILES
 301
 302  /etc/default/pveproxy
 303
 304 =head1 COPYRIGHT AND DISCLAIMER
 305
 306  Copyright (C) 2007-2013 Proxmox Server Solutions GmbH
 307
 308  This program is free software: you can redistribute it and/or modify it
 309  under the terms of the GNU Affero General Public License as published
 310  by the Free Software Foundation, either version 3 of the License, or
 311  (at your option) any later version.
 312
 313  This program is distributed in the hope that it will be useful, but
 314  WITHOUT ANY WARRANTY; without even the implied warranty of
 315  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 316  Affero General Public License for more details.
 317
 318  You should have received a copy of the GNU Affero General Public
 319  License along with this program.  If not, see
 320  <http://www.gnu.org/licenses/>.
 321