]>
Commit | Line | Data |
---|---|---|
4a17e72e DM |
1 | package PVE::Service::pveproxy; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use PVE::SafeSyslog; | |
7 | use PVE::Daemon; | |
8 | use HTTP::Response; | |
9 | use Encode; | |
10 | use URI; | |
11 | use URI::QueryParam; | |
12 | use File::Find; | |
13 | use Data::Dumper; | |
14 | use PVE::API2Tools; | |
15 | use PVE::API2; | |
16 | use PVE::API2::Formatter::Standard; | |
17 | use PVE::API2::Formatter::HTML; | |
18 | use PVE::HTTPServer; | |
19 | ||
20 | use PVE::ExtJSIndex; | |
faea7807 | 21 | use PVE::ExtJSIndex6; |
4a17e72e DM |
22 | use PVE::NoVncIndex; |
23 | use PVE::TouchIndex; | |
24 | ||
25 | use PVE::Tools; | |
26 | ||
27 | use base qw(PVE::Daemon); | |
28 | ||
29 | my $cmdline = [$0, @ARGV]; | |
30 | ||
31 | my %daemon_options = ( | |
32 | max_workers => 3, | |
33 | restart_on_error => 5, | |
34 | stop_wait_time => 15, | |
35 | leave_children_open_on_reload => 1, | |
36 | setuid => 'www-data', | |
37 | setgid => 'www-data', | |
38 | pidfile => '/var/run/pveproxy/pveproxy.pid', | |
39 | ); | |
40 | ||
41 | my $daemon = __PACKAGE__->new('pveproxy', $cmdline, %daemon_options); | |
42 | ||
faea7807 | 43 | my $ext6_dir_exists; |
2ebf4aec | 44 | |
4a17e72e DM |
45 | sub add_dirs { |
46 | my ($result_hash, $alias, $subdir) = @_; | |
47 | ||
48 | $result_hash->{$alias} = $subdir; | |
49 | ||
50 | my $wanted = sub { | |
51 | my $dir = $File::Find::dir; | |
52 | if ($dir =~m!^$subdir(.*)$!) { | |
53 | my $name = "$alias$1/"; | |
54 | $result_hash->{$name} = "$dir/"; | |
55 | } | |
56 | }; | |
57 | ||
58 | find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir); | |
59 | } | |
60 | ||
61 | sub init { | |
62 | my ($self) = @_; | |
63 | ||
64 | # we use same ALLOW/DENY/POLICY as pveproxy | |
65 | my $proxyconf = PVE::API2Tools::read_proxy_config(); | |
66 | ||
67 | my $accept_lock_fn = "/var/lock/pveproxy.lck"; | |
68 | ||
69 | my $lockfh = IO::File->new(">>${accept_lock_fn}") || | |
70 | die "unable to open lock file '${accept_lock_fn}' - $!\n"; | |
71 | ||
72 | my $family = PVE::Tools::get_host_address_family($self->{nodename}); | |
73 | my $socket = $self->create_reusable_socket(8006, undef, $family); | |
74 | ||
faea7807 | 75 | $ext6_dir_exists = (-d '/usr/share/pve-manager/ext6'); |
2ebf4aec | 76 | |
4a17e72e DM |
77 | my $dirs = {}; |
78 | ||
79 | add_dirs($dirs, '/pve2/locale/', '/usr/share/pve-manager/locale/'); | |
80 | add_dirs($dirs, '/pve2/touch/', '/usr/share/pve-manager/touch/'); | |
81 | add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/'); | |
2ebf4aec | 82 | |
faea7807 EK |
83 | if ($ext6_dir_exists) { # only add ext6 dirs if they exist |
84 | add_dirs($dirs, '/pve2/ext6/', '/usr/share/pve-manager/ext6/'); | |
85 | add_dirs($dirs, '/pve2/manager6/', '/usr/share/pve-manager/manager6/'); | |
2ebf4aec TL |
86 | } |
87 | ||
4a17e72e DM |
88 | add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/'); |
89 | add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/'); | |
90 | add_dirs($dirs, '/pve2/js/' => '/usr/share/pve-manager/js/'); | |
91 | add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/'); | |
92 | add_dirs($dirs, '/novnc/' => '/usr/share/novnc-pve/'); | |
93 | ||
94 | $self->{server_config} = { | |
95 | base_handler_class => 'PVE::API2', | |
96 | keep_alive => 100, | |
97 | max_conn => 500, | |
98 | max_requests => 1000, | |
99 | lockfile => $accept_lock_fn, | |
100 | socket => $socket, | |
101 | lockfh => $lockfh, | |
102 | debug => $self->{debug}, | |
103 | trusted_env => 0, # not trusted, anyone can connect | |
104 | logfile => '/var/log/pveproxy/access.log', | |
105 | allow_from => $proxyconf->{ALLOW_FROM}, | |
106 | deny_from => $proxyconf->{DENY_FROM}, | |
107 | policy => $proxyconf->{POLICY}, | |
108 | ssl => { | |
109 | # Note: older versions are considered insecure, for example | |
110 | # search for "Poodle"-Attac | |
ee0b96b1 | 111 | method => 'any', |
4a17e72e DM |
112 | sslv2 => 0, |
113 | sslv3 => 0, | |
114 | cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5', | |
115 | key_file => '/etc/pve/local/pve-ssl.key', | |
116 | cert_file => '/etc/pve/local/pve-ssl.pem', | |
ee0b96b1 | 117 | dh => 'skip2048', |
4a17e72e DM |
118 | }, |
119 | # Note: there is no authentication for those pages and dirs! | |
120 | pages => { | |
121 | '/' => \&get_index, | |
122 | # avoid authentication when accessing favicon | |
123 | '/favicon.ico' => { | |
124 | file => '/usr/share/pve-manager/images/favicon.ico', | |
125 | }, | |
126 | }, | |
127 | dirs => $dirs, | |
128 | }; | |
129 | } | |
130 | ||
131 | sub run { | |
132 | my ($self) = @_; | |
133 | ||
134 | my $server = PVE::HTTPServer->new(%{$self->{server_config}}); | |
135 | $server->run(); | |
136 | } | |
137 | ||
138 | $daemon->register_start_command(); | |
139 | $daemon->register_restart_command(1); | |
140 | $daemon->register_stop_command(); | |
141 | $daemon->register_status_command(); | |
142 | ||
143 | our $cmddef = { | |
144 | start => [ __PACKAGE__, 'start', []], | |
145 | restart => [ __PACKAGE__, 'restart', []], | |
146 | stop => [ __PACKAGE__, 'stop', []], | |
147 | status => [ __PACKAGE__, 'status', [], undef, sub { print shift . "\n";} ], | |
148 | }; | |
149 | ||
150 | sub is_phone { | |
151 | my ($ua) = @_; | |
152 | ||
153 | return 0 if !$ua; | |
154 | ||
155 | return 1 if $ua =~ m/(iPhone|iPod|Windows Phone)/; | |
156 | ||
157 | if ($ua =~ m/Mobile(\/|\s)/) { | |
158 | return 1 if $ua =~ m/(BlackBerry|BB)/; | |
159 | return 1 if ($ua =~ m/(Android)/) && ($ua !~ m/(Silk)/); | |
160 | } | |
161 | ||
162 | return 0; | |
163 | } | |
164 | ||
165 | # NOTE: Requests to those pages are not authenticated | |
166 | # so we must be very careful here | |
167 | ||
168 | sub get_index { | |
169 | my ($server, $r, $args) = @_; | |
170 | ||
171 | my $lang = 'en'; | |
172 | my $username; | |
173 | my $token = 'null'; | |
174 | ||
175 | if (my $cookie = $r->header('Cookie')) { | |
176 | if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) { | |
177 | if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) { | |
178 | $lang = $newlang; | |
179 | } | |
180 | } | |
181 | my $ticket = PVE::REST::extract_auth_cookie($cookie); | |
182 | if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) { | |
183 | $token = PVE::AccessControl::assemble_csrf_prevention_token($username); | |
184 | } | |
185 | } | |
186 | ||
187 | $username = '' if !$username; | |
188 | ||
189 | my $mobile = is_phone($r->header('User-Agent')) ? 1 : 0; | |
190 | ||
191 | if (defined($args->{mobile})) { | |
192 | $mobile = $args->{mobile} ? 1 : 0; | |
193 | } | |
194 | ||
faea7807 EK |
195 | my $ext6; |
196 | if (defined($args->{ext6})) { | |
197 | $ext6 = $args->{ext6} ? 1 : 0; | |
4a17e72e DM |
198 | } |
199 | ||
200 | my $page; | |
201 | ||
202 | if (defined($args->{console}) && $args->{novnc}) { | |
2ebf4aec | 203 | $page = PVE::NoVncIndex::get_index($lang, $username, $token, $args->{console}); |
4a17e72e | 204 | } elsif ($mobile) { |
2ebf4aec | 205 | $page = PVE::TouchIndex::get_index($lang, $username, $token, $args->{console}); |
faea7807 EK |
206 | } elsif ($ext6 && $ext6_dir_exists) { |
207 | $page = PVE::ExtJSIndex6::get_index($lang, $username, $token, $args->{console}); | |
2ebf4aec TL |
208 | } else { |
209 | $page = PVE::ExtJSIndex::get_index($lang, $username, $token, $args->{console}); | |
210 | } | |
4a17e72e DM |
211 | my $headers = HTTP::Headers->new(Content_Type => "text/html; charset=utf-8"); |
212 | my $resp = HTTP::Response->new(200, "OK", $headers, $page); | |
213 | ||
214 | return $resp; | |
215 | } | |
216 | ||
217 | 1; | |
218 | ||
219 | __END__ | |
220 | ||
221 | =head1 NAME | |
222 | ||
223 | pveproxy - the PVE API proxy server | |
224 | ||
225 | =head1 SYNOPSIS | |
226 | ||
227 | =include synopsis | |
228 | ||
229 | =head1 DESCRIPTION | |
230 | ||
231 | This is the REST API proxy server, listening on port 8006. This is usually | |
232 | started as service using: | |
233 | ||
234 | # service pveproxy start | |
235 | ||
236 | =head1 Host based access control | |
237 | ||
238 | It is possible to configure apache2 like access control lists. Values are read | |
239 | from file /etc/default/pveproxy. For example: | |
240 | ||
241 | ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" | |
242 | DENY_FROM="all" | |
243 | POLICY="allow" | |
244 | ||
245 | IP addresses can be specified using any syntax understoop by Net::IP. The | |
246 | name 'all' is an alias for '0/0'. | |
247 | ||
248 | The default policy is 'allow'. | |
249 | ||
250 | Match | POLICY=deny | POLICY=allow | |
251 | ---------------------------|-------------|------------ | |
252 | Match Allow only | allow | allow | |
253 | Match Deny only | deny | deny | |
254 | No match | deny | allow | |
255 | Match Both Allow & Deny | deny | allow | |
256 | ||
257 | =head1 SSL Cipher Suite | |
258 | ||
259 | You can define the chiper list in /etc/default/pveproxy, for example | |
260 | ||
261 | CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" | |
262 | ||
263 | Above is the default. See the ciphers(1) man page from the openssl | |
264 | package for list of all available options. | |
265 | ||
266 | =head1 FILES | |
267 | ||
268 | /etc/default/pveproxy | |
269 | ||
270 | =include pve_copyright |