3 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
5 delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
10 use POSIX
":sys_wait_h";
22 my $pidfile = "/var/run/pveproxy/pveproxy.pid";
23 my $lockfile = "/var/lock/pveproxy.lck";
29 if (!GetOptions
('debug' => \
$opt_debug)) {
30 die "usage: $0 [--debug]\n";
33 $SIG{'__WARN__'} = sub {
37 syslog
('warning', "WARNING: %s", $t);
44 my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
45 POSIX
::setgid
($gid) || die "setgid $gid failed - $!\n";
46 $EGID = "$gid $gid"; # this calls setgroups
47 my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n";
48 POSIX
::setuid
($uid) || die "setuid $uid failed - $!\n";
51 die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
53 my $proxyconf = PVE
::APIDaemon
::read_proxy_config
();
56 my ($result_hash, $alias, $subdir) = @_;
58 $result_hash->{$alias} = $subdir;
61 my $dir = $File::Find
::dir
;
62 if ($dir =~m!^$subdir(.*)$!) {
63 my $name = "$alias$1/";
64 $result_hash->{$name} = "$dir/";
68 find
({wanted
=> $wanted, follow
=> 0, no_chdir
=> 1}, $subdir);
77 add_dirs
($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/');
78 add_dirs
($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/');
79 add_dirs
($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/');
80 add_dirs
($dirs, '/vncterm/' => '/usr/share/vncterm/');
82 $daemon = PVE
::APIDaemon-
>new(
88 allow_from
=> $proxyconf->{ALLOW_FROM
},
89 deny_from
=> $proxyconf->{DENY_FROM
},
90 policy
=> $proxyconf->{POLICY
},
91 trusted_env
=> 0, # not trusted, anyone can connect
92 logfile
=> '/var/log/pveproxy/access.log',
93 lockfile
=> $lockfile,
95 cipher_list
=> $proxyconf->{CIPHERS
} || 'HIGH:MEDIUM:!aNULL:!MD5',
96 key_file
=> '/etc/pve/local/pve-ssl.key',
97 cert_file
=> '/etc/pve/local/pve-ssl.pem',
99 # Note: there is no authentication for those pages and dirs!
102 # avoid authentication when accessing favicon
104 file
=> '/usr/share/pve-manager/images/favicon.ico',
114 syslog
('err' , "unable to start server: $err");
120 if ($opt_debug || !($cpid = fork ())) {
122 $SIG{PIPE
} = 'IGNORE';
123 $SIG{INT
} = 'IGNORE' if !$opt_debug;
125 $SIG{TERM
} = $SIG{QUIT
} = sub {
126 syslog
('info' , "server closing");
128 $SIG{INT
} = 'DEFAULT';
130 unlink "$pidfile" if !$opt_debug;
135 syslog
('info' , "starting server");
138 # redirect STDIN/STDOUT/SDTERR to /dev/null
139 open STDIN
, '</dev/null' || die "can't read /dev/null [$!]";
140 open STDOUT
, '>/dev/null' || die "can't write /dev/null [$!]";
141 open STDERR
, '>&STDOUT' || die "can't open STDERR to STDOUT [$!]";
147 $daemon->start_server();
152 syslog
('err' , "unexpected server error: $err");
153 print STDERR
$err if $opt_debug;
159 open (PIDFILE
, ">$pidfile") ||
160 die "cant write '$pidfile' - $! :ERROR";
161 print PIDFILE
"$cpid\n";
163 die "cant write '$pidfile' - $! :ERROR";
168 # NOTE: Requests to those pages are not authenticated
169 # so we must be very careful here
172 my ($server, $r, $args) = @_;
178 if (my $cookie = $r->header('Cookie')) {
179 if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) {
180 if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) {
184 my $ticket = PVE
::REST
::extract_auth_cookie
($cookie);
185 if (($username = PVE
::AccessControl
::verify_ticket
($ticket, 1))) {
186 $token = PVE
::AccessControl
::assemble_csrf_prevention_token
($username);
190 my $workspace = defined($args->{console
}) ?
191 "PVE.ConsoleWorkspace" : "PVE.StdWorkspace";
193 $username = '' if !$username;
197 PVE.UserName = '$username';
198 PVE.CSRFPreventionToken = '$token';
201 my $langfile = "/usr/share/pve-manager/ext4/locale/ext-lang-${lang}.js";
202 $jssrc .= PVE
::Tools
::file_get_contents
($langfile) if -f
$langfile;
205 $langfile = "/usr/share/pve-manager/root/pve-lang-${lang}.js";
207 $i18nsrc = PVE
::Tools
::file_get_contents
($langfile);
209 $i18nsrc = 'function gettext(buf) { return buf; }';
214 // we need this (the java applet ignores the zindex)
217 Ext.History.fieldid = 'x-history-field';
219 Ext.onReady(function() { Ext.create('$workspace');});
226 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
228 <title>Proxmox Virtual Environment</title>
230 <link rel="stylesheet" type="text/css" href="/pve2/ext4/resources/css/ext-all.css" />
231 <link rel="stylesheet" type="text/css" href="/pve2/css/ext-pve.css" />
233 <script type="text/javascript">$i18nsrc</script>
234 <script type="text/javascript" src="/pve2/ext4/ext-all-debug.js"></script>
235 <script type="text/javascript" src="/pve2/ext4/pvemanagerlib.js"></script>
236 <script type="text/javascript">$jssrc</script>
240 <!-- Fields required for history management -->
241 <form id="history-form" class="x-hidden">
242 <input type="hidden" id="x-history-field"/>
248 my $resp = HTTP
::Response-
>new(200, "OK", undef, $page);
257 pveproxy - the PVE API proxy server
265 This is the REST API proxy server, listening on port 8006. This is usually started
268 # service pveproxy start
270 =head1 Host based access control
272 It is possible to configure apache2 like access control lists. Values are read
273 from file /etc/default/pveproxy. For example:
275 ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
279 IP addresses can be specified using any syntax understoop by Net::IP. The
280 name 'all' is an alias for '0/0'.
282 The default policy is 'allow'.
284 Match | POLICY=deny | POLICY=allow
285 ---------------------------|-------------|------------
286 Match Allow only | allow | allow
287 Match Deny only | deny | deny
288 No match | deny | allow
289 Match Both Allow & Deny | deny | allow
291 =head1 SSL Cipher Suite
293 You can define the chiper list in /etc/default/pveproxy, for example
295 CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
297 Above is the default. See the ciphers(1) man page from the openssl
298 package for list of all available options.
302 /etc/default/pveproxy
304 =head1 COPYRIGHT AND DISCLAIMER
306 Copyright (C) 2007-2013 Proxmox Server Solutions GmbH
308 This program is free software: you can redistribute it and/or modify it
309 under the terms of the GNU Affero General Public License as published
310 by the Free Software Foundation, either version 3 of the License, or
311 (at your option) any later version.
313 This program is distributed in the hope that it will be useful, but
314 WITHOUT ANY WARRANTY; without even the implied warranty of
315 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
316 Affero General Public License for more details.
318 You should have received a copy of the GNU Affero General Public
319 License along with this program. If not, see
320 <http://www.gnu.org/licenses/>.