]>
Commit | Line | Data |
---|---|---|
4a17e72e DM |
1 | package PVE::Service::pveproxy; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use PVE::SafeSyslog; | |
7 | use PVE::Daemon; | |
8 | use HTTP::Response; | |
9 | use Encode; | |
10 | use URI; | |
11 | use URI::QueryParam; | |
12 | use File::Find; | |
13 | use Data::Dumper; | |
14 | use PVE::API2Tools; | |
15 | use PVE::API2; | |
16 | use PVE::API2::Formatter::Standard; | |
17 | use PVE::API2::Formatter::HTML; | |
18 | use PVE::HTTPServer; | |
19 | ||
20 | use PVE::ExtJSIndex; | |
4a17e72e DM |
21 | use PVE::NoVncIndex; |
22 | use PVE::TouchIndex; | |
23 | ||
24 | use PVE::Tools; | |
25 | ||
26 | use base qw(PVE::Daemon); | |
27 | ||
28 | my $cmdline = [$0, @ARGV]; | |
29 | ||
30 | my %daemon_options = ( | |
31 | max_workers => 3, | |
32 | restart_on_error => 5, | |
33 | stop_wait_time => 15, | |
34 | leave_children_open_on_reload => 1, | |
35 | setuid => 'www-data', | |
36 | setgid => 'www-data', | |
37 | pidfile => '/var/run/pveproxy/pveproxy.pid', | |
38 | ); | |
39 | ||
40 | my $daemon = __PACKAGE__->new('pveproxy', $cmdline, %daemon_options); | |
41 | ||
42 | sub add_dirs { | |
43 | my ($result_hash, $alias, $subdir) = @_; | |
44 | ||
45 | $result_hash->{$alias} = $subdir; | |
46 | ||
47 | my $wanted = sub { | |
48 | my $dir = $File::Find::dir; | |
49 | if ($dir =~m!^$subdir(.*)$!) { | |
50 | my $name = "$alias$1/"; | |
51 | $result_hash->{$name} = "$dir/"; | |
52 | } | |
53 | }; | |
54 | ||
55 | find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir); | |
56 | } | |
57 | ||
58 | sub init { | |
59 | my ($self) = @_; | |
60 | ||
61 | # we use same ALLOW/DENY/POLICY as pveproxy | |
62 | my $proxyconf = PVE::API2Tools::read_proxy_config(); | |
63 | ||
64 | my $accept_lock_fn = "/var/lock/pveproxy.lck"; | |
65 | ||
66 | my $lockfh = IO::File->new(">>${accept_lock_fn}") || | |
67 | die "unable to open lock file '${accept_lock_fn}' - $!\n"; | |
68 | ||
69 | my $family = PVE::Tools::get_host_address_family($self->{nodename}); | |
70 | my $socket = $self->create_reusable_socket(8006, undef, $family); | |
71 | ||
72 | my $dirs = {}; | |
73 | ||
74 | add_dirs($dirs, '/pve2/locale/', '/usr/share/pve-manager/locale/'); | |
75 | add_dirs($dirs, '/pve2/touch/', '/usr/share/pve-manager/touch/'); | |
5783c7f4 DM |
76 | add_dirs($dirs, '/pve2/ext6/', '/usr/share/pve-manager/ext6/'); |
77 | add_dirs($dirs, '/pve2/manager6/', '/usr/share/pve-manager/manager6/'); | |
2ebf4aec | 78 | |
4a17e72e DM |
79 | add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/'); |
80 | add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/'); | |
81 | add_dirs($dirs, '/pve2/js/' => '/usr/share/pve-manager/js/'); | |
d5d08d2a | 82 | add_dirs($dirs, '/pve-docs/' => '/usr/share/pve-docs/'); |
4a17e72e DM |
83 | add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/'); |
84 | add_dirs($dirs, '/novnc/' => '/usr/share/novnc-pve/'); | |
85 | ||
86 | $self->{server_config} = { | |
87 | base_handler_class => 'PVE::API2', | |
88 | keep_alive => 100, | |
89 | max_conn => 500, | |
90 | max_requests => 1000, | |
91 | lockfile => $accept_lock_fn, | |
92 | socket => $socket, | |
93 | lockfh => $lockfh, | |
94 | debug => $self->{debug}, | |
95 | trusted_env => 0, # not trusted, anyone can connect | |
96 | logfile => '/var/log/pveproxy/access.log', | |
97 | allow_from => $proxyconf->{ALLOW_FROM}, | |
98 | deny_from => $proxyconf->{DENY_FROM}, | |
99 | policy => $proxyconf->{POLICY}, | |
100 | ssl => { | |
101 | # Note: older versions are considered insecure, for example | |
102 | # search for "Poodle"-Attac | |
ee0b96b1 | 103 | method => 'any', |
4a17e72e DM |
104 | sslv2 => 0, |
105 | sslv3 => 0, | |
106 | cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5', | |
107 | key_file => '/etc/pve/local/pve-ssl.key', | |
108 | cert_file => '/etc/pve/local/pve-ssl.pem', | |
109 | }, | |
110 | # Note: there is no authentication for those pages and dirs! | |
111 | pages => { | |
c7f32808 | 112 | '/' => sub { get_index($self->{nodename}, @_) }, |
4a17e72e DM |
113 | # avoid authentication when accessing favicon |
114 | '/favicon.ico' => { | |
115 | file => '/usr/share/pve-manager/images/favicon.ico', | |
116 | }, | |
117 | }, | |
118 | dirs => $dirs, | |
119 | }; | |
41196653 FG |
120 | |
121 | if ($proxyconf->{DHPARAMS}) { | |
122 | $self->{server_config}->{ssl}->{dh_file} = $proxyconf->{DHPARAMS}; | |
123 | } else { | |
124 | $self->{server_config}->{ssl}->{dh} = 'skip2048'; | |
125 | } | |
299d290c FG |
126 | |
127 | if (-f '/etc/pve/local/pveproxy-ssl.pem' && -f '/etc/pve/local/pveproxy-ssl.key') { | |
128 | $self->{server_config}->{ssl}->{cert_file} = '/etc/pve/local/pveproxy-ssl.pem'; | |
129 | $self->{server_config}->{ssl}->{key_file} = '/etc/pve/local/pveproxy-ssl.key'; | |
130 | syslog('info', 'Using \'/etc/pve/local/pveproxy-ssl.pem\' as certificate for the web interface.'); | |
131 | } | |
4a17e72e DM |
132 | } |
133 | ||
134 | sub run { | |
135 | my ($self) = @_; | |
136 | ||
137 | my $server = PVE::HTTPServer->new(%{$self->{server_config}}); | |
138 | $server->run(); | |
139 | } | |
140 | ||
141 | $daemon->register_start_command(); | |
142 | $daemon->register_restart_command(1); | |
143 | $daemon->register_stop_command(); | |
144 | $daemon->register_status_command(); | |
145 | ||
146 | our $cmddef = { | |
147 | start => [ __PACKAGE__, 'start', []], | |
148 | restart => [ __PACKAGE__, 'restart', []], | |
149 | stop => [ __PACKAGE__, 'stop', []], | |
150 | status => [ __PACKAGE__, 'status', [], undef, sub { print shift . "\n";} ], | |
151 | }; | |
152 | ||
153 | sub is_phone { | |
154 | my ($ua) = @_; | |
155 | ||
156 | return 0 if !$ua; | |
157 | ||
158 | return 1 if $ua =~ m/(iPhone|iPod|Windows Phone)/; | |
159 | ||
160 | if ($ua =~ m/Mobile(\/|\s)/) { | |
161 | return 1 if $ua =~ m/(BlackBerry|BB)/; | |
162 | return 1 if ($ua =~ m/(Android)/) && ($ua !~ m/(Silk)/); | |
163 | } | |
164 | ||
165 | return 0; | |
166 | } | |
167 | ||
168 | # NOTE: Requests to those pages are not authenticated | |
169 | # so we must be very careful here | |
170 | ||
171 | sub get_index { | |
c7f32808 | 172 | my ($nodename, $server, $r, $args) = @_; |
4a17e72e DM |
173 | |
174 | my $lang = 'en'; | |
175 | my $username; | |
176 | my $token = 'null'; | |
177 | ||
178 | if (my $cookie = $r->header('Cookie')) { | |
179 | if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) { | |
180 | if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) { | |
181 | $lang = $newlang; | |
182 | } | |
183 | } | |
f50cdc4e | 184 | my $ticket = PVE::HTTPServer::extract_auth_cookie($cookie, $server->{cookie_name}); |
4a17e72e DM |
185 | if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) { |
186 | $token = PVE::AccessControl::assemble_csrf_prevention_token($username); | |
187 | } | |
188 | } | |
189 | ||
190 | $username = '' if !$username; | |
191 | ||
192 | my $mobile = is_phone($r->header('User-Agent')) ? 1 : 0; | |
193 | ||
194 | if (defined($args->{mobile})) { | |
195 | $mobile = $args->{mobile} ? 1 : 0; | |
196 | } | |
197 | ||
4a17e72e DM |
198 | my $page; |
199 | ||
200 | if (defined($args->{console}) && $args->{novnc}) { | |
c7f32808 | 201 | $page = PVE::NoVncIndex::get_index($lang, $username, $token, $args->{console}, $nodename); |
4a17e72e | 202 | } elsif ($mobile) { |
c7f32808 | 203 | $page = PVE::TouchIndex::get_index($lang, $username, $token, $args->{console}, $nodename); |
2ebf4aec | 204 | } else { |
69f17ac3 EK |
205 | $page = PVE::ExtJSIndex::get_index($lang, $username, $token, $args->{console}, $nodename, |
206 | $server->{debug}); | |
2ebf4aec | 207 | } |
4a17e72e DM |
208 | my $headers = HTTP::Headers->new(Content_Type => "text/html; charset=utf-8"); |
209 | my $resp = HTTP::Response->new(200, "OK", $headers, $page); | |
210 | ||
211 | return $resp; | |
212 | } | |
213 | ||
214 | 1; |