[pve-manager.git] / PVE / Service / pveproxy.pm

package PVE::Service::pveproxy;

use strict;
use warnings;

use PVE::SafeSyslog;
use PVE::Daemon;
use HTTP::Response;
use Encode;
use URI;
use URI::QueryParam;
use File::Find;
use Data::Dumper;
use PVE::API2Tools;
use PVE::API2;
use PVE::API2::Formatter::Standard;
use PVE::API2::Formatter::HTML;
use PVE::HTTPServer;

use PVE::ExtJSIndex;
use PVE::ExtJSIndex6;
use PVE::NoVncIndex;
use PVE::TouchIndex;

use PVE::Tools;

use base qw(PVE::Daemon);

my $cmdline = [$0, @ARGV];

my %daemon_options = (
    max_workers => 3,
    restart_on_error => 5,
    stop_wait_time => 15,
    leave_children_open_on_reload => 1,
    setuid => 'www-data',
    setgid => 'www-data',
    pidfile => '/var/run/pveproxy/pveproxy.pid',
);

my $daemon = __PACKAGE__->new('pveproxy', $cmdline, %daemon_options);

my $ext6_dir_exists;

sub add_dirs {
    my ($result_hash, $alias, $subdir) = @_;

    $result_hash->{$alias} = $subdir;

    my $wanted = sub {
	my $dir = $File::Find::dir;
	if ($dir =~m!^$subdir(.*)$!) {
	    my $name = "$alias$1/";
	    $result_hash->{$name} = "$dir/";
	}
    };

    find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir);
}

sub init {
    my ($self) = @_;

    # we use same ALLOW/DENY/POLICY as pveproxy
    my $proxyconf = PVE::API2Tools::read_proxy_config();

    my $accept_lock_fn = "/var/lock/pveproxy.lck";

    my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
	die "unable to open lock file '${accept_lock_fn}' - $!\n";

    my $family = PVE::Tools::get_host_address_family($self->{nodename});
    my $socket = $self->create_reusable_socket(8006, undef, $family);

    $ext6_dir_exists = (-d '/usr/share/pve-manager/ext6');

    my $dirs = {};

    add_dirs($dirs, '/pve2/locale/', '/usr/share/pve-manager/locale/');
    add_dirs($dirs, '/pve2/touch/', '/usr/share/pve-manager/touch/');
    add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/');

    if ($ext6_dir_exists) { # only add ext6 dirs if they exist
	add_dirs($dirs, '/pve2/ext6/', '/usr/share/pve-manager/ext6/');
	add_dirs($dirs, '/pve2/manager6/', '/usr/share/pve-manager/manager6/');
    }

    add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/');
    add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/');
    add_dirs($dirs, '/pve2/js/' => '/usr/share/pve-manager/js/');
    add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/');
    add_dirs($dirs, '/novnc/' => '/usr/share/novnc-pve/');

    $self->{server_config} = {
	base_handler_class => 'PVE::API2',
	keep_alive => 100,
	max_conn => 500,
	max_requests => 1000,
	lockfile => $accept_lock_fn,
	socket => $socket,
	lockfh => $lockfh,
	debug => $self->{debug},
	trusted_env => 0, # not trusted, anyone can connect
	logfile => '/var/log/pveproxy/access.log',
	allow_from => $proxyconf->{ALLOW_FROM},
	deny_from => $proxyconf->{DENY_FROM},
	policy => $proxyconf->{POLICY},
	ssl => {
	    # Note: older versions are considered insecure, for example
	    # search for "Poodle"-Attac
	    method => 'any',
	    sslv2 => 0,
	    sslv3 => 0,
	    cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
	    key_file => '/etc/pve/local/pve-ssl.key',
	    cert_file => '/etc/pve/local/pve-ssl.pem',
	},
	# Note: there is no authentication for those pages and dirs!
	pages => {
	    '/' => \&get_index,
	    # avoid authentication when accessing favicon
	    '/favicon.ico' => {
		file => '/usr/share/pve-manager/images/favicon.ico',
	    },
	},
	dirs => $dirs,
    };

    if ($proxyconf->{DHPARAMS}) {
	$self->{server_config}->{ssl}->{dh_file} = $proxyconf->{DHPARAMS};
    } else {
	$self->{server_config}->{ssl}->{dh} = 'skip2048';
    }
}

sub run {
    my ($self) = @_;

    my $server = PVE::HTTPServer->new(%{$self->{server_config}});
    $server->run();
}

$daemon->register_start_command();
$daemon->register_restart_command(1);
$daemon->register_stop_command();
$daemon->register_status_command();

our $cmddef = {
    start => [ __PACKAGE__, 'start', []],
    restart => [ __PACKAGE__, 'restart', []],
    stop => [ __PACKAGE__, 'stop', []],
    status => [ __PACKAGE__, 'status', [], undef, sub { print shift . "\n";} ],
};

sub is_phone {
    my ($ua) = @_;

    return 0 if !$ua;

    return 1 if $ua =~ m/(iPhone|iPod|Windows Phone)/;

    if ($ua =~ m/Mobile(\/|\s)/) {
	return 1 if $ua =~ m/(BlackBerry|BB)/;
	return 1 if ($ua =~ m/(Android)/) && ($ua !~ m/(Silk)/);
    }

    return 0;
}

# NOTE: Requests to those pages are not authenticated
# so we must be very careful here

sub get_index {
    my ($server, $r, $args) = @_;

    my $lang = 'en';
    my $username;
    my $token = 'null';

    if (my $cookie = $r->header('Cookie')) {
	if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) {
	    if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) {
		$lang = $newlang;
	    }
	}
	my $ticket = PVE::REST::extract_auth_cookie($cookie);
	if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) {
	    $token = PVE::AccessControl::assemble_csrf_prevention_token($username);
	}
    }

    $username = '' if !$username;

    my $mobile = is_phone($r->header('User-Agent')) ? 1 : 0;

    if (defined($args->{mobile})) {
	$mobile = $args->{mobile} ? 1 : 0;
    }

    my $ext6;
    if (defined($args->{ext6})) {
	$ext6 = $args->{ext6} ? 1 : 0;
    }

    my $page;

    if (defined($args->{console}) && $args->{novnc}) {
	$page = PVE::NoVncIndex::get_index($lang, $username, $token, $args->{console});
    } elsif ($mobile) {
	$page = PVE::TouchIndex::get_index($lang, $username, $token, $args->{console});
    } elsif ($ext6 && $ext6_dir_exists) {
	$page = PVE::ExtJSIndex6::get_index($lang, $username, $token, $args->{console});
    } else {
	$page = PVE::ExtJSIndex::get_index($lang, $username, $token, $args->{console});
    }
    my $headers = HTTP::Headers->new(Content_Type => "text/html; charset=utf-8");
    my $resp = HTTP::Response->new(200, "OK", $headers, $page);

    return $resp;
}

1;

__END__

=head1 NAME

pveproxy - the PVE API proxy server

=head1 SYNOPSIS

=include synopsis

=head1 DESCRIPTION

This is the REST API proxy server, listening on port 8006. This is usually
started as service using:

 # service pveproxy start

=head1 Host based access control

It is possible to configure apache2 like access control lists. Values are read
from file /etc/default/pveproxy. For example:

 ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
 DENY_FROM="all"
 POLICY="allow"

IP addresses can be specified using any syntax understood by Net::IP. The
name 'all' is an alias for '0/0'.

The default policy is 'allow'.

 Match                      | POLICY=deny | POLICY=allow
 ---------------------------|-------------|------------
 Match Allow only           | allow       | allow
 Match Deny only            | deny        | deny
 No match                   | deny        | allow
 Match Both Allow & Deny    | deny        | allow

=head1 SSL Cipher Suite

You can define the cipher list in /etc/default/pveproxy, for example

 CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"

Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.

=head1 Diffie-Hellman Parameters

You can define the used Diffie-Hellman parameters in /etc/default/pveproxy
by setting DHPARAMS to the path of a file containing DH parameters in PEM
format, for example

 DHPARAMS="/path/to/dhparams.pem"

If this option is not set, the built-in 'skip2048' parameters will be used.

Note: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.

=head1 FILES

 /etc/default/pveproxy

=include pve_copyright
Commit	Line	Data
4a17e72e DM	1	package PVE::Service::pveproxy;
	2
	3	use strict;
	4	use warnings;
	5
	6	use PVE::SafeSyslog;
	7	use PVE::Daemon;
	8	use HTTP::Response;
	9	use Encode;
	10	use URI;
	11	use URI::QueryParam;
	12	use File::Find;
	13	use Data::Dumper;
	14	use PVE::API2Tools;
	15	use PVE::API2;
	16	use PVE::API2::Formatter::Standard;
	17	use PVE::API2::Formatter::HTML;
	18	use PVE::HTTPServer;
	19
	20	use PVE::ExtJSIndex;
faea7807	21	use PVE::ExtJSIndex6;
4a17e72e DM	22	use PVE::NoVncIndex;
	23	use PVE::TouchIndex;
	24
	25	use PVE::Tools;
	26
	27	use base qw(PVE::Daemon);
	28
	29	my $cmdline = [$0, @ARGV];
	30
	31	my %daemon_options = (
	32	max_workers => 3,
	33	restart_on_error => 5,
	34	stop_wait_time => 15,
	35	leave_children_open_on_reload => 1,
	36	setuid => 'www-data',
	37	setgid => 'www-data',
	38	pidfile => '/var/run/pveproxy/pveproxy.pid',
	39	);
	40
	41	my $daemon = __PACKAGE__->new('pveproxy', $cmdline, %daemon_options);
	42
faea7807	43	my $ext6_dir_exists;
2ebf4aec	44
4a17e72e DM	45	sub add_dirs {
	46	my ($result_hash, $alias, $subdir) = @_;
	47
	48	$result_hash->{$alias} = $subdir;
	49
	50	my $wanted = sub {
	51	my $dir = $File::Find::dir;
	52	if ($dir =~m!^$subdir(.*)$!) {
	53	my $name = "$alias$1/";
	54	$result_hash->{$name} = "$dir/";
	55	}
	56	};
	57
	58	find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir);
	59	}
	60
	61	sub init {
	62	my ($self) = @_;
	63
	64	# we use same ALLOW/DENY/POLICY as pveproxy
	65	my $proxyconf = PVE::API2Tools::read_proxy_config();
	66
	67	my $accept_lock_fn = "/var/lock/pveproxy.lck";
	68
	69	my $lockfh = IO::File->new(">>${accept_lock_fn}") \|\|
	70	die "unable to open lock file '${accept_lock_fn}' - $!\n";
	71
	72	my $family = PVE::Tools::get_host_address_family($self->{nodename});
	73	my $socket = $self->create_reusable_socket(8006, undef, $family);
	74
faea7807	75	$ext6_dir_exists = (-d '/usr/share/pve-manager/ext6');
2ebf4aec	76
4a17e72e DM	77	my $dirs = {};
	78
	79	add_dirs($dirs, '/pve2/locale/', '/usr/share/pve-manager/locale/');
	80	add_dirs($dirs, '/pve2/touch/', '/usr/share/pve-manager/touch/');
	81	add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/');
2ebf4aec	82
faea7807 EK	83	if ($ext6_dir_exists) { # only add ext6 dirs if they exist
	84	add_dirs($dirs, '/pve2/ext6/', '/usr/share/pve-manager/ext6/');
	85	add_dirs($dirs, '/pve2/manager6/', '/usr/share/pve-manager/manager6/');
2ebf4aec TL	86	}
2ebf4aec TL	87
4a17e72e DM	88	add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/');
	89	add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/');
	90	add_dirs($dirs, '/pve2/js/' => '/usr/share/pve-manager/js/');
	91	add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/');
	92	add_dirs($dirs, '/novnc/' => '/usr/share/novnc-pve/');
	93
	94	$self->{server_config} = {
	95	base_handler_class => 'PVE::API2',
	96	keep_alive => 100,
	97	max_conn => 500,
	98	max_requests => 1000,
	99	lockfile => $accept_lock_fn,
	100	socket => $socket,
	101	lockfh => $lockfh,
	102	debug => $self->{debug},
	103	trusted_env => 0, # not trusted, anyone can connect
	104	logfile => '/var/log/pveproxy/access.log',
	105	allow_from => $proxyconf->{ALLOW_FROM},
	106	deny_from => $proxyconf->{DENY_FROM},
	107	policy => $proxyconf->{POLICY},
	108	ssl => {
	109	# Note: older versions are considered insecure, for example
	110	# search for "Poodle"-Attac
ee0b96b1	111	method => 'any',
4a17e72e DM	112	sslv2 => 0,
	113	sslv3 => 0,
	114	cipher_list => $proxyconf->{CIPHERS} \|\| 'HIGH:MEDIUM:!aNULL:!MD5',
	115	key_file => '/etc/pve/local/pve-ssl.key',
	116	cert_file => '/etc/pve/local/pve-ssl.pem',
	117	},
	118	# Note: there is no authentication for those pages and dirs!
	119	pages => {
	120	'/' => \&get_index,
	121	# avoid authentication when accessing favicon
	122	'/favicon.ico' => {
	123	file => '/usr/share/pve-manager/images/favicon.ico',
	124	},
	125	},
	126	dirs => $dirs,
	127	};
41196653 FG	128
	129	if ($proxyconf->{DHPARAMS}) {
	130	$self->{server_config}->{ssl}->{dh_file} = $proxyconf->{DHPARAMS};
	131	} else {
	132	$self->{server_config}->{ssl}->{dh} = 'skip2048';
	133	}
4a17e72e DM	134	}
	135
	136	sub run {
	137	my ($self) = @_;
	138
	139	my $server = PVE::HTTPServer->new(%{$self->{server_config}});
	140	$server->run();
	141	}
	142
	143	$daemon->register_start_command();
	144	$daemon->register_restart_command(1);
	145	$daemon->register_stop_command();
	146	$daemon->register_status_command();
	147
	148	our $cmddef = {
	149	start => [ __PACKAGE__, 'start', []],
	150	restart => [ __PACKAGE__, 'restart', []],
	151	stop => [ __PACKAGE__, 'stop', []],
	152	status => [ __PACKAGE__, 'status', [], undef, sub { print shift . "\n";} ],
	153	};
	154
	155	sub is_phone {
	156	my ($ua) = @_;
	157
	158	return 0 if !$ua;
	159
	160	return 1 if $ua =~ m/(iPhone\|iPod\|Windows Phone)/;
	161
	162	if ($ua =~ m/Mobile(\/\|\s)/) {
	163	return 1 if $ua =~ m/(BlackBerry\|BB)/;
	164	return 1 if ($ua =~ m/(Android)/) && ($ua !~ m/(Silk)/);
	165	}
	166
	167	return 0;
	168	}
	169
	170	# NOTE: Requests to those pages are not authenticated
	171	# so we must be very careful here
	172
	173	sub get_index {
	174	my ($server, $r, $args) = @_;
	175
	176	my $lang = 'en';
	177	my $username;
	178	my $token = 'null';
	179
	180	if (my $cookie = $r->header('Cookie')) {
	181	if (my $newlang = ($cookie =~ /(?:^\|\s)PVELangCookie=([^;]*)/)[0]) {
	182	if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) {
	183	$lang = $newlang;
	184	}
	185	}
	186	my $ticket = PVE::REST::extract_auth_cookie($cookie);
	187	if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) {
	188	$token = PVE::AccessControl::assemble_csrf_prevention_token($username);
	189	}
	190	}
	191
	192	$username = '' if !$username;
	193
	194	my $mobile = is_phone($r->header('User-Agent')) ? 1 : 0;
	195
	196	if (defined($args->{mobile})) {
	197	$mobile = $args->{mobile} ? 1 : 0;
198	}
199
faea7807 EK	200	my $ext6;
	201	if (defined($args->{ext6})) {
	202	$ext6 = $args->{ext6} ? 1 : 0;
4a17e72e DM	203	}
	204
	205	my $page;
	206
	207	if (defined($args->{console}) && $args->{novnc}) {
2ebf4aec	208	$page = PVE::NoVncIndex::get_index($lang, $username, $token, $args->{console});
4a17e72e	209	} elsif ($mobile) {
2ebf4aec	210	$page = PVE::TouchIndex::get_index($lang, $username, $token, $args->{console});
faea7807 EK	211	} elsif ($ext6 && $ext6_dir_exists) {
faea7807 EK	212	$page = PVE::ExtJSIndex6::get_index($lang, $username, $token, $args->{console});
2ebf4aec TL	213	} else {
	214	$page = PVE::ExtJSIndex::get_index($lang, $username, $token, $args->{console});
	215	}
4a17e72e DM	216	my $headers = HTTP::Headers->new(Content_Type => "text/html; charset=utf-8");
	217	my $resp = HTTP::Response->new(200, "OK", $headers, $page);
	218
	219	return $resp;
	220	}
	221
	222	1;
	223
	224	__END__
	225
	226	=head1 NAME
	227
	228	pveproxy - the PVE API proxy server
	229
	230	=head1 SYNOPSIS
	231
	232	=include synopsis
	233
	234	=head1 DESCRIPTION
	235
	236	This is the REST API proxy server, listening on port 8006. This is usually
	237	started as service using:
	238
	239	# service pveproxy start
	240
	241	=head1 Host based access control
	242
	243	It is possible to configure apache2 like access control lists. Values are read
	244	from file /etc/default/pveproxy. For example:
	245
	246	ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
	247	DENY_FROM="all"
	248	POLICY="allow"
	249
41196653	250	IP addresses can be specified using any syntax understood by Net::IP. The
4a17e72e DM	251	name 'all' is an alias for '0/0'.
	252
	253	The default policy is 'allow'.
	254
	255	Match \| POLICY=deny \| POLICY=allow
	256	---------------------------\|-------------\|------------
	257	Match Allow only \| allow \| allow
	258	Match Deny only \| deny \| deny
	259	No match \| deny \| allow
	260	Match Both Allow & Deny \| deny \| allow
	261
	262	=head1 SSL Cipher Suite
	263
41196653	264	You can define the cipher list in /etc/default/pveproxy, for example
4a17e72e DM	265
	266	CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
	267
	268	Above is the default. See the ciphers(1) man page from the openssl
41196653 FG	269	package for a list of all available options.
	270
	271	=head1 Diffie-Hellman Parameters
	272
	273	You can define the used Diffie-Hellman parameters in /etc/default/pveproxy
	274	by setting DHPARAMS to the path of a file containing DH parameters in PEM
	275	format, for example
	276
	277	DHPARAMS="/path/to/dhparams.pem"
	278
	279	If this option is not set, the built-in 'skip2048' parameters will be used.
	280
	281	Note: DH parameters are only used if a cipher suite utilizing the DH key
	282	exchange algorithm is negotiated.
4a17e72e DM	283
	284	=head1 FILES
	285
	286	/etc/default/pveproxy
	287
	288	=include pve_copyright