use POSIX ":sys_wait_h";
use Socket qw(IPPROTO_TCP TCP_NODELAY SOMAXCONN);
use IO::Socket::INET;
+use Net::IP;
use PVE::SafeSyslog;
use PVE::HTTPServer;
}
}
+sub read_proxy_config {
+
+ my $conffile = "/etc/default/pveproxy";
+
+ # Note: evaluate with bash
+ my $shcmd = ". $conffile;\n";
+ $shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
+ $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
+ $shcmd .= 'echo \"POLICY:\$POLICY\";';
+
+ my $data = `bash -c "$shcmd"`;
+
+ my $res = {};
+
+ while ($data =~ s/^(.*)\n//) {
+ my ($key, $value) = split(/:/, $1, 2);
+ if ($key eq 'ALLOW_FROM' || $key eq 'DENY_FROM') {
+ my $ips = [];
+ foreach my $ip (split(/,/, $value)) {
+ $ip = "0/0" if $ip eq 'all';
+ push @$ips, Net::IP->new($ip) || die Net::IP::Error() . "\n";
+ }
+ $res->{$key} = $ips;
+ } elsif ($key eq 'POLICY') {
+ die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
+ $res->{$key} = $value;
+ } else {
+ # silently skip everythin else?
+ }
+ }
+
+ return $res;
+}
+
1;
use URI::QueryParam;
use File::Find;
use Data::Dumper;
-use Net::IP;
my $pidfile = "/var/run/pveproxy/pveproxy.pid";
my $lockfile = "/var/lock/pveproxy.lck";
my $opt_debug;
-my $opt_allow_from;
-my $opt_deny_from;
-my $opt_policy;
initlog ('pveproxy');
-if (!GetOptions ('allow-from=s@' => \$opt_allow_from,
- 'deny-from=s@' => \$opt_deny_from,
- 'policy=s' => \$opt_policy,
- 'debug' => \$opt_debug)) {
- die "usage: $0 [--allow-from CIDR{,CIRD}] [--deny-from CIDR{,CIRD}] [--policy (allow|deny)] [--debug]\n";
-}
-
-$opt_deny_from = [ split(/,/, join(',', @$opt_deny_from)) ] if $opt_deny_from;
-$opt_allow_from = [ split(/,/, join(',', @$opt_allow_from)) ] if $opt_allow_from;
-
-die "unknown policy '$opt_policy'\n" if $opt_policy && $opt_policy !~ m/^(allow|deny)$/;
-
-if ($opt_deny_from) {
- my $ips = [];
- foreach my $ip (@$opt_deny_from) {
- $ip = "0/0" if $ip eq 'all';
- push @$ips, Net::IP->new($ip) || die Net::IP::Error() . "\n";
- }
-
- $opt_deny_from = $ips;
-}
-
-if ($opt_allow_from) {
- my $ips = [];
- foreach my $ip (@$opt_allow_from) {
- $ip = "0/0" if $ip eq 'all';
- push @$ips, Net::IP->new($ip) || die Net::IP::Error() . "\n";
- }
- $opt_allow_from = $ips;
+if (!GetOptions ('debug' => \$opt_debug)) {
+ die "usage: $0 [--debug]\n";
}
$SIG{'__WARN__'} = sub {
# just to be sure
die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
+my $proxyconf = PVE::APIDaemon::read_proxy_config();
+
sub add_dirs {
my ($result_hash, $alias, $subdir) = @_;
max_conn => 500,
max_requests => 1000,
debug => $opt_debug,
- allow_from => $opt_allow_from,
- deny_from => $opt_deny_from,
- policy => $opt_policy,
+ allow_from => $proxyconf->{ALLOW_FROM},
+ deny_from => $proxyconf->{DENY_FROM},
+ policy => $proxyconf->{POLICY},
trusted_env => 0, # not trusted, anyone can connect
logfile => '/var/log/pveproxy/access.log',
lockfile => $lockfile,
=head1 SYNOPSIS
-pveproxy [--allow-from CIDR{,CIRD}] [--deny-from CIDR{,CIRD}] [--policy (allow|deny)] [--debug]
+pveproxy [--debug]
=head1 DESCRIPTION
=head1 Host based access control
-Options '--allow-from', '--deny-from' and '--policy' can be used to set up
-apache2 like access control. If started as service, those values are read
+It is possible to configure apache2 like access control lists. Values are read
from file /etc/default/pveproxy. For example:
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
# just to be sure
die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
+# we use same ALLOW/DENY/POLICY as pveproxy
+my $proxyconf = PVE::APIDaemon::read_proxy_config();
+
my $cpid;
my $daemon;
eval {
debug => $opt_debug,
spiceproxy => 1,
logfile => '/var/log/pveproxy/access.log',
+ allow_from => $proxyconf->{ALLOW_FROM},
+ deny_from => $proxyconf->{DENY_FROM},
+ policy => $proxyconf->{POLICY},
);
};
SPICE proxy server for Proxmox VE. Listens on port 3128.
+=head1 Host based access control
+
+It is possible to configure apache2 like access control lists. Values are read
+from file /etc/default/pveproxy (see 'pveproxy' for details).
+
+=head1 FILES
+
+ /etc/default/pveproxy
+
=head1 COPYRIGHT AND DISCLAIMER
Copyright (C) 2007-2013 Proxmox Server Solutions GmbH