]>
Commit | Line | Data |
---|---|---|
4a17e72e DM |
1 | package PVE::Service::pveproxy; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use PVE::SafeSyslog; | |
7 | use PVE::Daemon; | |
8 | use HTTP::Response; | |
9 | use Encode; | |
10 | use URI; | |
11 | use URI::QueryParam; | |
12 | use File::Find; | |
13 | use Data::Dumper; | |
14 | use PVE::API2Tools; | |
15 | use PVE::API2; | |
16 | use PVE::API2::Formatter::Standard; | |
17 | use PVE::API2::Formatter::HTML; | |
18 | use PVE::HTTPServer; | |
19 | ||
20 | use PVE::ExtJSIndex; | |
faea7807 | 21 | use PVE::ExtJSIndex6; |
4a17e72e DM |
22 | use PVE::NoVncIndex; |
23 | use PVE::TouchIndex; | |
24 | ||
25 | use PVE::Tools; | |
26 | ||
27 | use base qw(PVE::Daemon); | |
28 | ||
29 | my $cmdline = [$0, @ARGV]; | |
30 | ||
31 | my %daemon_options = ( | |
32 | max_workers => 3, | |
33 | restart_on_error => 5, | |
34 | stop_wait_time => 15, | |
35 | leave_children_open_on_reload => 1, | |
36 | setuid => 'www-data', | |
37 | setgid => 'www-data', | |
38 | pidfile => '/var/run/pveproxy/pveproxy.pid', | |
39 | ); | |
40 | ||
41 | my $daemon = __PACKAGE__->new('pveproxy', $cmdline, %daemon_options); | |
42 | ||
faea7807 | 43 | my $ext6_dir_exists; |
2ebf4aec | 44 | |
4a17e72e DM |
45 | sub add_dirs { |
46 | my ($result_hash, $alias, $subdir) = @_; | |
47 | ||
48 | $result_hash->{$alias} = $subdir; | |
49 | ||
50 | my $wanted = sub { | |
51 | my $dir = $File::Find::dir; | |
52 | if ($dir =~m!^$subdir(.*)$!) { | |
53 | my $name = "$alias$1/"; | |
54 | $result_hash->{$name} = "$dir/"; | |
55 | } | |
56 | }; | |
57 | ||
58 | find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir); | |
59 | } | |
60 | ||
61 | sub init { | |
62 | my ($self) = @_; | |
63 | ||
64 | # we use same ALLOW/DENY/POLICY as pveproxy | |
65 | my $proxyconf = PVE::API2Tools::read_proxy_config(); | |
66 | ||
67 | my $accept_lock_fn = "/var/lock/pveproxy.lck"; | |
68 | ||
69 | my $lockfh = IO::File->new(">>${accept_lock_fn}") || | |
70 | die "unable to open lock file '${accept_lock_fn}' - $!\n"; | |
71 | ||
72 | my $family = PVE::Tools::get_host_address_family($self->{nodename}); | |
73 | my $socket = $self->create_reusable_socket(8006, undef, $family); | |
74 | ||
faea7807 | 75 | $ext6_dir_exists = (-d '/usr/share/pve-manager/ext6'); |
2ebf4aec | 76 | |
4a17e72e DM |
77 | my $dirs = {}; |
78 | ||
79 | add_dirs($dirs, '/pve2/locale/', '/usr/share/pve-manager/locale/'); | |
80 | add_dirs($dirs, '/pve2/touch/', '/usr/share/pve-manager/touch/'); | |
81 | add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/'); | |
2ebf4aec | 82 | |
faea7807 EK |
83 | if ($ext6_dir_exists) { # only add ext6 dirs if they exist |
84 | add_dirs($dirs, '/pve2/ext6/', '/usr/share/pve-manager/ext6/'); | |
85 | add_dirs($dirs, '/pve2/manager6/', '/usr/share/pve-manager/manager6/'); | |
2ebf4aec TL |
86 | } |
87 | ||
4a17e72e DM |
88 | add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/'); |
89 | add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/'); | |
90 | add_dirs($dirs, '/pve2/js/' => '/usr/share/pve-manager/js/'); | |
91 | add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/'); | |
92 | add_dirs($dirs, '/novnc/' => '/usr/share/novnc-pve/'); | |
93 | ||
94 | $self->{server_config} = { | |
95 | base_handler_class => 'PVE::API2', | |
96 | keep_alive => 100, | |
97 | max_conn => 500, | |
98 | max_requests => 1000, | |
99 | lockfile => $accept_lock_fn, | |
100 | socket => $socket, | |
101 | lockfh => $lockfh, | |
102 | debug => $self->{debug}, | |
103 | trusted_env => 0, # not trusted, anyone can connect | |
104 | logfile => '/var/log/pveproxy/access.log', | |
105 | allow_from => $proxyconf->{ALLOW_FROM}, | |
106 | deny_from => $proxyconf->{DENY_FROM}, | |
107 | policy => $proxyconf->{POLICY}, | |
108 | ssl => { | |
109 | # Note: older versions are considered insecure, for example | |
110 | # search for "Poodle"-Attac | |
ee0b96b1 | 111 | method => 'any', |
4a17e72e DM |
112 | sslv2 => 0, |
113 | sslv3 => 0, | |
114 | cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5', | |
115 | key_file => '/etc/pve/local/pve-ssl.key', | |
116 | cert_file => '/etc/pve/local/pve-ssl.pem', | |
117 | }, | |
118 | # Note: there is no authentication for those pages and dirs! | |
119 | pages => { | |
120 | '/' => \&get_index, | |
121 | # avoid authentication when accessing favicon | |
122 | '/favicon.ico' => { | |
123 | file => '/usr/share/pve-manager/images/favicon.ico', | |
124 | }, | |
125 | }, | |
126 | dirs => $dirs, | |
127 | }; | |
41196653 FG |
128 | |
129 | if ($proxyconf->{DHPARAMS}) { | |
130 | $self->{server_config}->{ssl}->{dh_file} = $proxyconf->{DHPARAMS}; | |
131 | } else { | |
132 | $self->{server_config}->{ssl}->{dh} = 'skip2048'; | |
133 | } | |
4a17e72e DM |
134 | } |
135 | ||
136 | sub run { | |
137 | my ($self) = @_; | |
138 | ||
139 | my $server = PVE::HTTPServer->new(%{$self->{server_config}}); | |
140 | $server->run(); | |
141 | } | |
142 | ||
143 | $daemon->register_start_command(); | |
144 | $daemon->register_restart_command(1); | |
145 | $daemon->register_stop_command(); | |
146 | $daemon->register_status_command(); | |
147 | ||
148 | our $cmddef = { | |
149 | start => [ __PACKAGE__, 'start', []], | |
150 | restart => [ __PACKAGE__, 'restart', []], | |
151 | stop => [ __PACKAGE__, 'stop', []], | |
152 | status => [ __PACKAGE__, 'status', [], undef, sub { print shift . "\n";} ], | |
153 | }; | |
154 | ||
155 | sub is_phone { | |
156 | my ($ua) = @_; | |
157 | ||
158 | return 0 if !$ua; | |
159 | ||
160 | return 1 if $ua =~ m/(iPhone|iPod|Windows Phone)/; | |
161 | ||
162 | if ($ua =~ m/Mobile(\/|\s)/) { | |
163 | return 1 if $ua =~ m/(BlackBerry|BB)/; | |
164 | return 1 if ($ua =~ m/(Android)/) && ($ua !~ m/(Silk)/); | |
165 | } | |
166 | ||
167 | return 0; | |
168 | } | |
169 | ||
170 | # NOTE: Requests to those pages are not authenticated | |
171 | # so we must be very careful here | |
172 | ||
173 | sub get_index { | |
174 | my ($server, $r, $args) = @_; | |
175 | ||
176 | my $lang = 'en'; | |
177 | my $username; | |
178 | my $token = 'null'; | |
179 | ||
180 | if (my $cookie = $r->header('Cookie')) { | |
181 | if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) { | |
182 | if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) { | |
183 | $lang = $newlang; | |
184 | } | |
185 | } | |
186 | my $ticket = PVE::REST::extract_auth_cookie($cookie); | |
187 | if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) { | |
188 | $token = PVE::AccessControl::assemble_csrf_prevention_token($username); | |
189 | } | |
190 | } | |
191 | ||
192 | $username = '' if !$username; | |
193 | ||
194 | my $mobile = is_phone($r->header('User-Agent')) ? 1 : 0; | |
195 | ||
196 | if (defined($args->{mobile})) { | |
197 | $mobile = $args->{mobile} ? 1 : 0; | |
198 | } | |
199 | ||
faea7807 EK |
200 | my $ext6; |
201 | if (defined($args->{ext6})) { | |
202 | $ext6 = $args->{ext6} ? 1 : 0; | |
4a17e72e DM |
203 | } |
204 | ||
205 | my $page; | |
206 | ||
207 | if (defined($args->{console}) && $args->{novnc}) { | |
2ebf4aec | 208 | $page = PVE::NoVncIndex::get_index($lang, $username, $token, $args->{console}); |
4a17e72e | 209 | } elsif ($mobile) { |
2ebf4aec | 210 | $page = PVE::TouchIndex::get_index($lang, $username, $token, $args->{console}); |
faea7807 EK |
211 | } elsif ($ext6 && $ext6_dir_exists) { |
212 | $page = PVE::ExtJSIndex6::get_index($lang, $username, $token, $args->{console}); | |
2ebf4aec TL |
213 | } else { |
214 | $page = PVE::ExtJSIndex::get_index($lang, $username, $token, $args->{console}); | |
215 | } | |
4a17e72e DM |
216 | my $headers = HTTP::Headers->new(Content_Type => "text/html; charset=utf-8"); |
217 | my $resp = HTTP::Response->new(200, "OK", $headers, $page); | |
218 | ||
219 | return $resp; | |
220 | } | |
221 | ||
222 | 1; | |
223 | ||
224 | __END__ | |
225 | ||
226 | =head1 NAME | |
227 | ||
228 | pveproxy - the PVE API proxy server | |
229 | ||
230 | =head1 SYNOPSIS | |
231 | ||
232 | =include synopsis | |
233 | ||
234 | =head1 DESCRIPTION | |
235 | ||
236 | This is the REST API proxy server, listening on port 8006. This is usually | |
237 | started as service using: | |
238 | ||
239 | # service pveproxy start | |
240 | ||
241 | =head1 Host based access control | |
242 | ||
243 | It is possible to configure apache2 like access control lists. Values are read | |
244 | from file /etc/default/pveproxy. For example: | |
245 | ||
246 | ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" | |
247 | DENY_FROM="all" | |
248 | POLICY="allow" | |
249 | ||
41196653 | 250 | IP addresses can be specified using any syntax understood by Net::IP. The |
4a17e72e DM |
251 | name 'all' is an alias for '0/0'. |
252 | ||
253 | The default policy is 'allow'. | |
254 | ||
255 | Match | POLICY=deny | POLICY=allow | |
256 | ---------------------------|-------------|------------ | |
257 | Match Allow only | allow | allow | |
258 | Match Deny only | deny | deny | |
259 | No match | deny | allow | |
260 | Match Both Allow & Deny | deny | allow | |
261 | ||
262 | =head1 SSL Cipher Suite | |
263 | ||
41196653 | 264 | You can define the cipher list in /etc/default/pveproxy, for example |
4a17e72e DM |
265 | |
266 | CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" | |
267 | ||
268 | Above is the default. See the ciphers(1) man page from the openssl | |
41196653 FG |
269 | package for a list of all available options. |
270 | ||
271 | =head1 Diffie-Hellman Parameters | |
272 | ||
273 | You can define the used Diffie-Hellman parameters in /etc/default/pveproxy | |
274 | by setting DHPARAMS to the path of a file containing DH parameters in PEM | |
275 | format, for example | |
276 | ||
277 | DHPARAMS="/path/to/dhparams.pem" | |
278 | ||
279 | If this option is not set, the built-in 'skip2048' parameters will be used. | |
280 | ||
281 | Note: DH parameters are only used if a cipher suite utilizing the DH key | |
282 | exchange algorithm is negotiated. | |
4a17e72e DM |
283 | |
284 | =head1 FILES | |
285 | ||
286 | /etc/default/pveproxy | |
287 | ||
288 | =include pve_copyright |