Thomas Lamprecht [Fri, 22 Mar 2019 09:32:46 +0000 (10:32 +0100)]
tls: make dh to openssl 1.1 compatible
Effective the same approach used in libanyevent-perl 7.140-3[0]
Stretch is also compatible with this, and we can remove it for
buster/PVE 6 once the libanyevent-perl package transitioned to
from unstable to buster, until then do it ourself to have a
functioning api/proxy...
Stoiko Ivanov [Fri, 22 Feb 2019 18:51:59 +0000 (19:51 +0100)]
move read_proxy_conf from PVE::API2Tools to new Utils module
move the read_proxy_conf method into a new perl module
'PVE::APIServer::Utils'.
It now takes the proxy_name (e.g. pveproxy, pmgproxy) as variable to be used
for the configfile location (/etc/default/$proxy_name)
This serves as preparation to make pmgproxy configurable in the same way as
pveproxy.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Stoiko Ivanov [Thu, 21 Feb 2019 09:35:11 +0000 (10:35 +0100)]
Don't override explicit $nocomp with default
By making compression configurable the $nocomp flag in response got set to
the configured (or default) setting, irrespective of the explicitly passed
value to response.
Stoiko Ivanov [Fri, 15 Feb 2019 11:36:00 +0000 (12:36 +0100)]
Add configurable 'compression'
Rationale for disabling compression is the potential for being affected by
the BREACH (CVE-2013-3587) attack and it's considered good practice for https
configuration (see e.g. [0]).
The default remains: to have compression enabled for compressible file-types.
commit a4d8bbafbe400be78bebeab169963025dc46e29b
introduced an additional empty line after '200 OK'
for remote-viewer 7 to work, but we also have to read this line
in our own proxy reader else the connection to a remote node does
not work
Dominik Csapak [Thu, 16 Aug 2018 12:48:12 +0000 (14:48 +0200)]
fix #1869: send correct http response in spice proxy
the glib implementation of the http proxy correctly checks the
http response (response code, followed by an empty line)
so we need to answer with the correct status
Dietmar Maurer [Wed, 6 Jun 2018 15:30:40 +0000 (17:30 +0200)]
websocket: set $max_payload_size = 128*1024; (131072)
AnyEvent checks rbuf_max after calling the callback (too late), so
we can receive larger data, because AnyEvent uses MAX_READ_SIZE=131072
to fill the buffer.
So a more elegant solution is to set $max_payload_size=128*1024. At least
I am not able to receive rbuf larger than 128*1024 now. But I keep the
protection from the previous patch - just to be sure.
René Jochum [Fri, 25 May 2018 16:15:22 +0000 (18:15 +0200)]
Fix #1684 WebSocket proxy behind a buffered proxy.
The given patch fixes incoming WebSocket traffic behind buffered Proxies
like NGINX.
NGINX buffers multiple requests from the Browser into one frame and sends that to pveproxy,
before this patch we then processed the first message of the frame and cleared the buffer which
may contained more messages.
With this patch we process each message and clear the buffer right.
This fixes the "NoVNC blank screen" problem users reported on the forums.
auth_handler: respond with passed error if we get a PVE::Exception
Allows to fix a problem where a logged in connected client was logged
out because we could not verify him for this call as the cluster
filesystem was unavailable.
If we get such a exception then use it for responding.
THis is save as no logged out client can get ever do anything where
login privileges are required and a logged in client cannot to
anything during the problematic period, but does not gets logged out.
Partail fix for #1589
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Dietmar Maurer [Tue, 2 May 2017 07:58:53 +0000 (09:58 +0200)]
assume all parameters are utf8 encoded
Previously, we called decode_utf8_parameters(), which only encoded
some parameters. This was just an optimization, and it turend out to
be error prone (for example passwords also contain utf8 parameters).
with openssl 1.0.1, we had to limit ourself to one curve to
allow ECDHE at all.
with openssl 1.1.x, the same limit actually means only
allowing ECDSA certificates using that curve, even for
non-ephemeral ECDH handshakes, effectively only allowing
prime256 EC certificates.
since openssl 1.1.x supports auto-negotiation of the curve
used for ECDHE, simply use that for now.
Dietmar Maurer [Fri, 20 Jan 2017 17:15:21 +0000 (18:15 +0100)]
call Net::SSLeay::ERR_clear_error() after auth_handler
Some auth_handlers use Crypt::OpenSSL::RSA, which seems to set the openssl error
variable. We need to clear that here, else AnyEvent::TLS aborts the connection.