move read_proxy_conf from PVE::API2Tools to new Utils module

[pve-http-server.git] / PVE / APIServer / AnyEvent.pm
diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm

old mode 100755 (executable)

new mode 100644 (file)

index 190471a..b2330a5
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -184,6 +184,7 @@ sub response {
      $reqstate->{hdl}->timeout_reset();
      $reqstate->{hdl}->timeout($self->{timeout});
  
+    $nocomp = 1 if !$self->{compression};
      $nocomp = 1 if !$reqstate->{accept_gzip};
  
      my $code = $resp->code;
@@ -552,7 +553,7 @@ sub proxy_request {
  
         $headers->{'cookie'} = PVE::APIServer::Formatter::create_auth_cookie($ticket, $self->{cookie_name}) if $ticket;
         $headers->{'CSRFPreventionToken'} = $token if $token;
-       $headers->{'Accept-Encoding'} = 'gzip' if $reqstate->{accept_gzip};
+       $headers->{'Accept-Encoding'} = 'gzip' if ($reqstate->{accept_gzip} && $self->{compression});
  
         my $content;
  
@@ -867,7 +868,8 @@ sub handle_spice_proxy_request {
  
                 # todo: use stop_read/start_read if write buffer grows to much
  
-               my $res = "$proto 200 OK\015\012"; # hope this is the right answer?
+               # a response must be followed by an empty line
+               my $res = "$proto 200 OK\015\012\015\012";
                 $reqstate->{hdl}->push_write($res);
  
                 # log early
@@ -889,7 +891,10 @@ sub handle_spice_proxy_request {
                     my ($hdl, $line) = @_;
  
                     if ($line =~ m!^$proto 200 OK$!) {
-                       &$startproxy();
+                       # read the empty line after the 200 OK
+                       $reqstate->{proxyhdl}->unshift_read(line => sub{
+                           &$startproxy();
+                       });
                     } else {
                         $reqstate->{hdl}->push_write($line);
                         $self->client_do_disconnect($reqstate);
@@ -1607,6 +1612,7 @@ sub new {
      $self->{base_uri} //= "/api2";
      $self->{dirs} //= {};
      $self->{title} //= 'API Inspector';
+    $self->{compression} //= 1;
  
      # formatter_config: we pass some configuration values to the Formatter
      $self->{formatter_config} = {};
@@ -1640,8 +1646,31 @@ sub new {
      $self->{end_cond} = AnyEvent->condvar;
  
      if ($self->{ssl}) {
+       my $ssl_defaults = {
+           # Note: older versions are considered insecure, for example
+           # search for "Poodle"-Attack
+           method => 'any',
+           sslv2 => 0,
+           sslv3 => 0,
+           cipher_list => 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
+           honor_cipher_order => 1,
+       };
+
+       foreach my $k (keys %$ssl_defaults) {
+           $self->{ssl}->{$k} //= $ssl_defaults->{$k};
+       }
+
+       if (!defined($self->{ssl}->{dh_file})) {
+           $self->{ssl}->{dh} = 'skip2048';
+       }
+
+       my $tls_ctx_flags = &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE;
+       if ( delete $self->{ssl}->{honor_cipher_order} ) {
+           $tls_ctx_flags |= &Net::SSLeay::OP_CIPHER_SERVER_PREFERENCE;
+       }
+
         $self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
-       Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
+       Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags);
      }
  
      if ($self->{spiceproxy}) {