]>
Commit | Line | Data |
---|---|---|
c610c859 SI |
1 | package PVE::APIServer::Utils; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use Net::IP; | |
7 | ||
7266fc2d SI |
8 | # all settings are used for pveproxy and pmgproxy |
9 | # the ALLOW/DENY/POLICY is also used by spiceproxy | |
c610c859 SI |
10 | sub read_proxy_config { |
11 | my ($proxy_name) = @_; | |
12 | ||
13 | my $conffile = "/etc/default/$proxy_name"; | |
14 | ||
15 | # Note: evaluate with bash | |
16 | my $shcmd = ". $conffile;\n"; | |
9afe1e89 | 17 | $shcmd .= 'echo \"LISTEN_IP:\$LISTEN_IP\";'; |
c610c859 SI |
18 | $shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";'; |
19 | $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";'; | |
20 | $shcmd .= 'echo \"POLICY:\$POLICY\";'; | |
21 | $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";'; | |
95fde1f7 | 22 | $shcmd .= 'echo \"CIPHERSUITES:\$CIPHERSUITES\";'; |
c610c859 | 23 | $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";'; |
d93700f1 | 24 | $shcmd .= 'echo \"TLS_KEY_FILE:\$TLS_KEY_FILE\";'; |
c610c859 SI |
25 | $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";'; |
26 | $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";'; | |
e9022485 FG |
27 | $shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";'; |
28 | $shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";'; | |
c610c859 SI |
29 | |
30 | my $data = -f $conffile ? `bash -c "$shcmd"` : ''; | |
31 | ||
32 | my $res = {}; | |
33 | ||
e9022485 FG |
34 | my $boolean_options = [ |
35 | 'HONOR_CIPHER_ORDER', | |
36 | 'COMPRESSION', | |
37 | 'DISABLE_TLS_1_2', | |
38 | 'DISABLE_TLS_1_3', | |
39 | ]; | |
40 | ||
c610c859 SI |
41 | while ($data =~ s/^(.*)\n//) { |
42 | my ($key, $value) = split(/:/, $1, 2); | |
43 | next if !defined($value) || $value eq ''; | |
44 | if ($key eq 'ALLOW_FROM' || $key eq 'DENY_FROM') { | |
45 | my $ips = []; | |
46 | foreach my $ip (split(/,/, $value)) { | |
9494318e SI |
47 | if ($ip eq 'all') { |
48 | push @$ips, Net::IP->new('0/0') || die Net::IP::Error() . "\n"; | |
49 | push @$ips, Net::IP->new('::/0') || die Net::IP::Error() . "\n"; | |
50 | next; | |
51 | } | |
c6de5b3f | 52 | push @$ips, Net::IP->new(normalize_v4_in_v6($ip)) || die Net::IP::Error() . "\n"; |
c610c859 SI |
53 | } |
54 | $res->{$key} = $ips; | |
9afe1e89 OB |
55 | } elsif ($key eq 'LISTEN_IP') { |
56 | $res->{$key} = $value; | |
c610c859 SI |
57 | } elsif ($key eq 'POLICY') { |
58 | die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/; | |
59 | $res->{$key} = $value; | |
60 | } elsif ($key eq 'CIPHERS') { | |
61 | $res->{$key} = $value; | |
95fde1f7 FG |
62 | } elsif ($key eq 'CIPHERSUITES') { |
63 | $res->{$key} = $value; | |
c610c859 SI |
64 | } elsif ($key eq 'DHPARAMS') { |
65 | $res->{$key} = $value; | |
d93700f1 FG |
66 | } elsif ($key eq 'TLS_KEY_FILE') { |
67 | $res->{$key} = $value; | |
e9022485 | 68 | } elsif (grep { $key eq $_ } @$boolean_options) { |
c610c859 SI |
69 | die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/; |
70 | $res->{$key} = $value; | |
71 | } else { | |
72 | # silently skip everythin else? | |
73 | } | |
74 | } | |
75 | ||
76 | return $res; | |
77 | } | |
78 | ||
c6de5b3f SI |
79 | sub normalize_v4_in_v6 { |
80 | my ($ip_text) = @_; | |
81 | ||
82 | my $ip = Net::IP->new($ip_text) || die Net::IP::Error() . "\n"; | |
83 | my $v4_mapped_v6_prefix = Net::IP->new('::ffff:0:0/96'); | |
84 | if ($v4_mapped_v6_prefix->overlaps($ip)) { | |
85 | return Net::IP::ip_get_embedded_ipv4($ip_text); | |
86 | } | |
87 | return $ip_text; | |
88 | } | |
89 | ||
c610c859 | 90 | 1; |