3 $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin';
5 delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
10 use POSIX
":sys_wait_h";
22 my $pidfile = "/var/run/pveproxy/pveproxy.pid";
23 my $lockfile = "/var/lock/pveproxy.lck";
29 if (!GetOptions
('debug' => \
$opt_debug)) {
30 die "usage: $0 [--debug]\n";
33 $SIG{'__WARN__'} = sub {
37 syslog
('warning', "WARNING: %s", $t);
44 my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
45 POSIX
::setgid
($gid) || die "setgid $gid failed - $!\n";
46 $EGID = "$gid $gid"; # this calls setgroups
47 my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n";
48 POSIX
::setuid
($uid) || die "setuid $uid failed - $!\n";
51 die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
53 my $proxyconf = PVE
::APIDaemon
::read_proxy_config
();
56 my ($result_hash, $alias, $subdir) = @_;
58 $result_hash->{$alias} = $subdir;
61 my $dir = $File::Find
::dir
;
62 if ($dir =~m!^$subdir(.*)$!) {
63 my $name = "$alias$1/";
64 $result_hash->{$name} = "$dir/";
68 find
({wanted
=> $wanted, follow
=> 0, no_chdir
=> 1}, $subdir);
77 add_dirs
($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/');
78 add_dirs
($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/');
79 add_dirs
($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/');
80 add_dirs
($dirs, '/vncterm/' => '/usr/share/vncterm/');
82 $daemon = PVE
::APIDaemon-
>new(
88 allow_from
=> $proxyconf->{ALLOW_FROM
},
89 deny_from
=> $proxyconf->{DENY_FROM
},
90 policy
=> $proxyconf->{POLICY
},
91 trusted_env
=> 0, # not trusted, anyone can connect
92 logfile
=> '/var/log/pveproxy/access.log',
93 lockfile
=> $lockfile,
95 key_file
=> '/etc/pve/local/pve-ssl.key',
96 cert_file
=> '/etc/pve/local/pve-ssl.pem',
98 # Note: there is no authentication for those pages and dirs!
101 # avoid authentication when accessing favicon
103 file
=> '/usr/share/pve-manager/images/favicon.ico',
113 syslog
('err' , "unable to start server: $err");
119 if ($opt_debug || !($cpid = fork ())) {
121 $SIG{PIPE
} = 'IGNORE';
122 $SIG{INT
} = 'IGNORE' if !$opt_debug;
124 $SIG{TERM
} = $SIG{QUIT
} = sub {
125 syslog
('info' , "server closing");
127 $SIG{INT
} = 'DEFAULT';
129 unlink "$pidfile" if !$opt_debug;
134 syslog
('info' , "starting server");
137 # redirect STDIN/STDOUT/SDTERR to /dev/null
138 open STDIN
, '</dev/null' || die "can't read /dev/null [$!]";
139 open STDOUT
, '>/dev/null' || die "can't write /dev/null [$!]";
140 open STDERR
, '>&STDOUT' || die "can't open STDERR to STDOUT [$!]";
146 $daemon->start_server();
151 syslog
('err' , "unexpected server error: $err");
152 print STDERR
$err if $opt_debug;
158 open (PIDFILE
, ">$pidfile") ||
159 die "cant write '$pidfile' - $! :ERROR";
160 print PIDFILE
"$cpid\n";
162 die "cant write '$pidfile' - $! :ERROR";
167 # NOTE: Requests to those pages are not authenticated
168 # so we must be very careful here
171 my ($server, $r, $args) = @_;
177 if (my $cookie = $r->header('Cookie')) {
178 if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) {
179 if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) {
183 my $ticket = PVE
::REST
::extract_auth_cookie
($cookie);
184 if (($username = PVE
::AccessControl
::verify_ticket
($ticket, 1))) {
185 $token = PVE
::AccessControl
::assemble_csrf_prevention_token
($username);
189 my $workspace = defined($args->{console
}) ?
190 "PVE.ConsoleWorkspace" : "PVE.StdWorkspace";
192 $username = '' if !$username;
196 PVE.UserName = '$username';
197 PVE.CSRFPreventionToken = '$token';
200 my $langfile = "/usr/share/pve-manager/ext4/locale/ext-lang-${lang}.js";
201 $jssrc .= PVE
::Tools
::file_get_contents
($langfile) if -f
$langfile;
204 $langfile = "/usr/share/pve-manager/root/pve-lang-${lang}.js";
206 $i18nsrc = PVE
::Tools
::file_get_contents
($langfile);
208 $i18nsrc = 'function gettext(buf) { return buf; }';
213 // we need this (the java applet ignores the zindex)
216 Ext.History.fieldid = 'x-history-field';
218 Ext.onReady(function() { Ext.create('$workspace');});
225 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
227 <title>Proxmox Virtual Environment</title>
229 <link rel="stylesheet" type="text/css" href="/pve2/ext4/resources/css/ext-all.css" />
230 <link rel="stylesheet" type="text/css" href="/pve2/css/ext-pve.css" />
232 <script type="text/javascript">$i18nsrc</script>
233 <script type="text/javascript" src="/pve2/ext4/ext-all-debug.js"></script>
234 <script type="text/javascript" src="/pve2/ext4/pvemanagerlib.js"></script>
235 <script type="text/javascript">$jssrc</script>
239 <!-- Fields required for history management -->
240 <form id="history-form" class="x-hidden">
241 <input type="hidden" id="x-history-field"/>
247 my $resp = HTTP
::Response-
>new(200, "OK", undef, $page);
256 pveproxy - the PVE API proxy server
264 This is the REST API proxy server, listening on port 8006. This is usually started
267 # service pveproxy start
269 =head1 Host based access control
271 It is possible to configure apache2 like access control lists. Values are read
272 from file /etc/default/pveproxy. For example:
274 ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
278 IP addresses can be specified using any syntax understoop by Net::IP. The
279 name 'all' is an alias for '0/0'.
281 The default policy is 'allow'.
283 Match | POLICY=deny | POLICY=allow
284 ---------------------------|-------------|------------
285 Match Allow only | allow | allow
286 Match Deny only | deny | deny
287 No match | deny | allow
288 Match Both Allow & Deny | deny | allow
292 /etc/default/pveproxy
294 =head1 COPYRIGHT AND DISCLAIMER
296 Copyright (C) 2007-2013 Proxmox Server Solutions GmbH
298 This program is free software: you can redistribute it and/or modify it
299 under the terms of the GNU Affero General Public License as published
300 by the Free Software Foundation, either version 3 of the License, or
301 (at your option) any later version.
303 This program is distributed in the hope that it will be useful, but
304 WITHOUT ANY WARRANTY; without even the implied warranty of
305 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
306 Affero General Public License for more details.
308 You should have received a copy of the GNU Affero General Public
309 License along with this program. If not, see
310 <http://www.gnu.org/licenses/>.