use strict;
use warnings;
-use PVE::SafeSyslog;
-use PVE::Daemon;
-use HTTP::Response;
+use Data::Dumper;
use Encode;
-use URI;
+use HTTP::Response;
+use Template;
use URI::QueryParam;
-use File::Find;
-use Data::Dumper;
-use PVE::API2Tools;
+use URI;
+
use PVE::API2;
-use PVE::API2::Formatter::Standard;
-use PVE::API2::Formatter::HTML;
+use PVE::APIServer::AnyEvent;
+use PVE::APIServer::Formatter::HTML;
+use PVE::APIServer::Formatter::Standard;
+use PVE::APIServer::Formatter;
+use PVE::APIServer::Utils;
+use PVE::Cluster;
+use PVE::Daemon;
+use PVE::DataCenterConfig;
use PVE::HTTPServer;
-
-use PVE::ExtJSIndex;
-use PVE::ExtJSIndex6;
-use PVE::NoVncIndex;
-use PVE::TouchIndex;
-
+use PVE::SafeSyslog;
+use PVE::pvecfg;
use PVE::Tools;
use base qw(PVE::Daemon);
my $daemon = __PACKAGE__->new('pveproxy', $cmdline, %daemon_options);
-my $ext6_dir_exists;
-
sub add_dirs {
my ($result_hash, $alias, $subdir) = @_;
- $result_hash->{$alias} = $subdir;
-
- my $wanted = sub {
- my $dir = $File::Find::dir;
- if ($dir =~m!^$subdir(.*)$!) {
- my $name = "$alias$1/";
- $result_hash->{$name} = "$dir/";
- }
- };
-
- find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir);
+ PVE::APIServer::AnyEvent::add_dirs($result_hash, $alias, $subdir);
}
+my $basedirs = {
+ docs => '/usr/share/pve-docs',
+ extjs => '/usr/share/javascript/extjs',
+ fontawesome => '/usr/share/fonts-font-awesome',
+ fontlogos => '/usr/share/fonts-font-logos',
+ i18n => '/usr/share/pve-i18n',
+ manager => '/usr/share/pve-manager',
+ novnc => '/usr/share/novnc-pve',
+ sencha_touch => '/usr/share/javascript/sencha-touch',
+ widgettoolkit => '/usr/share/javascript/proxmox-widget-toolkit',
+ xtermjs => '/usr/share/pve-xtermjs',
+};
+
sub init {
my ($self) = @_;
# we use same ALLOW/DENY/POLICY as pveproxy
- my $proxyconf = PVE::API2Tools::read_proxy_config();
+ my $proxyconf = PVE::APIServer::Utils::read_proxy_config($self->{name});
my $accept_lock_fn = "/var/lock/pveproxy.lck";
my $lockfh = IO::File->new(">>${accept_lock_fn}") ||
die "unable to open lock file '${accept_lock_fn}' - $!\n";
- my $family = PVE::Tools::get_host_address_family($self->{nodename});
- my $socket = $self->create_reusable_socket(8006, undef, $family);
-
- $ext6_dir_exists = (-d '/usr/share/pve-manager/ext6');
+ my $listen_ip = $proxyconf->{LISTEN_IP};
+ my $socket = $self->create_reusable_socket(8006, $listen_ip);
my $dirs = {};
- add_dirs($dirs, '/pve2/locale/', '/usr/share/pve-manager/locale/');
- add_dirs($dirs, '/pve2/touch/', '/usr/share/pve-manager/touch/');
- add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/');
-
- if ($ext6_dir_exists) { # only add ext6 dirs if they exist
- add_dirs($dirs, '/pve2/ext6/', '/usr/share/pve-manager/ext6/');
- add_dirs($dirs, '/pve2/manager6/', '/usr/share/pve-manager/manager6/');
- }
-
- add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/');
- add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/');
- add_dirs($dirs, '/pve2/js/' => '/usr/share/pve-manager/js/');
- add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/');
- add_dirs($dirs, '/novnc/' => '/usr/share/novnc-pve/');
+ add_dirs($dirs, '/novnc/' => "$basedirs->{novnc}/");
+ add_dirs($dirs, '/pve-docs/' => "$basedirs->{docs}/");
+ add_dirs($dirs, '/pve-docs/api-viewer/extjs/' => "$basedirs->{extjs}/");
+ add_dirs($dirs, '/pve2/css/' => "$basedirs->{manager}/css/");
+ add_dirs($dirs, '/pve2/ext6/', "$basedirs->{extjs}/");
+ add_dirs($dirs, '/pve2/fa/css/' => "$basedirs->{fontawesome}/css/");
+ add_dirs($dirs, '/pve2/fa/fonts/' => "$basedirs->{fontawesome}/fonts/");
+ add_dirs($dirs, '/pve2/font-logos/' => "$basedirs->{fontlogos}/");
+ add_dirs($dirs, '/pve2/images/' => "$basedirs->{manager}/images/");
+ add_dirs($dirs, '/pve2/js/' => "$basedirs->{manager}/js/");
+ add_dirs($dirs, '/pve2/locale/', "$basedirs->{i18n}/");
+ add_dirs($dirs, '/pve2/sencha-touch/', "$basedirs->{sencha_touch}/");
+ add_dirs($dirs, '/pve2/touch/', "$basedirs->{manager}/touch/");
+ add_dirs($dirs, '/pwt/css/' => "$basedirs->{widgettoolkit}/css/");
+ add_dirs($dirs, '/pwt/images/' => "$basedirs->{widgettoolkit}/images/");
+ add_dirs($dirs, '/pwt/themes/' => "$basedirs->{widgettoolkit}/themes/");
+ add_dirs($dirs, '/xtermjs/' => "$basedirs->{xtermjs}/");
$self->{server_config} = {
- base_handler_class => 'PVE::API2',
+ title => 'Proxmox VE API',
keep_alive => 100,
max_conn => 500,
max_requests => 1000,
deny_from => $proxyconf->{DENY_FROM},
policy => $proxyconf->{POLICY},
ssl => {
- # Note: older versions are considered insecure, for example
- # search for "Poodle"-Attac
- method => 'any',
- sslv2 => 0,
- sslv3 => 0,
- cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
+ cipher_list => $proxyconf->{CIPHERS},
+ ciphersuites => $proxyconf->{CIPHERSUITES},
key_file => '/etc/pve/local/pve-ssl.key',
cert_file => '/etc/pve/local/pve-ssl.pem',
- dh => 'skip2048',
+ honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER},
},
+ compression => $proxyconf->{COMPRESSION},
# Note: there is no authentication for those pages and dirs!
pages => {
- '/' => \&get_index,
+ '/' => sub { get_index($self->{nodename}, @_) },
# avoid authentication when accessing favicon
'/favicon.ico' => {
- file => '/usr/share/pve-manager/images/favicon.ico',
+ file => "$basedirs->{manager}/images/favicon.ico",
+ },
+ '/proxmoxlib.js' => {
+ file => "$basedirs->{widgettoolkit}/proxmoxlib.js",
+ },
+ '/qrcode.min.js' => {
+ file => '/usr/share/javascript/qrcodejs/qrcode.min.js',
},
},
dirs => $dirs,
};
+
+ if (defined($proxyconf->{DHPARAMS})) {
+ $self->{server_config}->{ssl}->{dh_file} = $proxyconf->{DHPARAMS};
+ }
+ if (defined($proxyconf->{DISABLE_TLS_1_2})) {
+ $self->{server_config}->{ssl}->{tlsv1_2} = !$proxyconf->{DISABLE_TLS_1_2};
+ }
+ if (defined($proxyconf->{DISABLE_TLS_1_3})) {
+ $self->{server_config}->{ssl}->{tlsv1_3} = !$proxyconf->{DISABLE_TLS_1_3};
+ }
+ my $custom_key_path = '/etc/pve/local/pveproxy-ssl.key';
+ if (defined($proxyconf->{TLS_KEY_FILE})) {
+ $custom_key_path = $proxyconf->{TLS_KEY_FILE};
+ }
+ if (-f '/etc/pve/local/pveproxy-ssl.pem' && -f $custom_key_path) {
+ $self->{server_config}->{ssl}->{cert_file} = '/etc/pve/local/pveproxy-ssl.pem';
+ $self->{server_config}->{ssl}->{key_file} = $custom_key_path;
+ syslog('info', 'Using \'/etc/pve/local/pveproxy-ssl.pem\' as certificate for the web interface.');
+ }
}
sub run {
# so we must be very careful here
sub get_index {
- my ($server, $r, $args) = @_;
+ my ($nodename, $server, $r, $args) = @_;
- my $lang = 'en';
+ my $lang;
my $username;
my $token = 'null';
+ my $theme = "auto";
if (my $cookie = $r->header('Cookie')) {
if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) {
$lang = $newlang;
}
}
- my $ticket = PVE::REST::extract_auth_cookie($cookie);
+
+ if (my $newtheme = ($cookie =~ /(?:^|\s)PVEThemeCookie=([^;]*)/)[0]) {
+ # theme names need to be kebab case, with each segment a maximum of 10 characters long
+ # and at most 6 segments
+ if ($newtheme =~ m/^[a-z]{1,10}(-[a-z]{1,10}){0,5}$/) {
+ $theme = $newtheme;
+ }
+ }
+
+ my $ticket = PVE::APIServer::Formatter::extract_auth_value($cookie, $server->{cookie_name});
if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) {
$token = PVE::AccessControl::assemble_csrf_prevention_token($username);
}
}
- $username = '' if !$username;
-
- my $mobile = is_phone($r->header('User-Agent')) ? 1 : 0;
-
- if (defined($args->{mobile})) {
- $mobile = $args->{mobile} ? 1 : 0;
+ if (!$lang) {
+ my $dc_conf = PVE::Cluster::cfs_read_file('datacenter.cfg');
+ $lang = $dc_conf->{language} // 'en';
}
- my $ext6;
- if (defined($args->{ext6})) {
- $ext6 = $args->{ext6} ? 1 : 0;
- }
-
- my $page;
-
- if (defined($args->{console}) && $args->{novnc}) {
- $page = PVE::NoVncIndex::get_index($lang, $username, $token, $args->{console});
- } elsif ($mobile) {
- $page = PVE::TouchIndex::get_index($lang, $username, $token, $args->{console});
- } elsif ($ext6 && $ext6_dir_exists) {
- $page = PVE::ExtJSIndex6::get_index($lang, $username, $token, $args->{console});
- } else {
- $page = PVE::ExtJSIndex::get_index($lang, $username, $token, $args->{console});
- }
- my $headers = HTTP::Headers->new(Content_Type => "text/html; charset=utf-8");
- my $resp = HTTP::Response->new(200, "OK", $headers, $page);
-
- return $resp;
-}
-
-1;
-
-__END__
+ my $mobile = (is_phone($r->header('User-Agent')) && (!defined($args->{mobile}) || $args->{mobile})) || $args->{mobile};
-=head1 NAME
+ my $novnc = defined($args->{console}) && $args->{novnc};
+ my $xtermjs = defined($args->{console}) && $args->{xtermjs};
-pveproxy - the PVE API proxy server
+ my $langfile = -f "$basedirs->{i18n}/pve-lang-$lang.js" ? 1 : 0;
-=head1 SYNOPSIS
+ my $version = PVE::pvecfg::version();
-=include synopsis
+ my $wtversionraw = PVE::Tools::file_read_firstline("$basedirs->{widgettoolkit}/proxmoxlib.js");
+ my $wtversion = $wtversionraw =~ m|^// (.*)$| ? $1 : '';
-=head1 DESCRIPTION
-
-This is the REST API proxy server, listening on port 8006. This is usually
-started as service using:
-
- # service pveproxy start
-
-=head1 Host based access control
-
-It is possible to configure apache2 like access control lists. Values are read
-from file /etc/default/pveproxy. For example:
-
- ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
- DENY_FROM="all"
- POLICY="allow"
-
-IP addresses can be specified using any syntax understoop by Net::IP. The
-name 'all' is an alias for '0/0'.
-
-The default policy is 'allow'.
+ my $debug = $server->{debug};
+ if (exists $args->{debug}) {
+ $debug = !defined($args->{debug}) || $args->{debug};
+ }
- Match | POLICY=deny | POLICY=allow
- ---------------------------|-------------|------------
- Match Allow only | allow | allow
- Match Deny only | deny | deny
- No match | deny | allow
- Match Both Allow & Deny | deny | allow
+ my $vars = {
+ lang => $lang,
+ langfile => $langfile,
+ username => $username || '',
+ token => $token,
+ console => $args->{console},
+ nodename => $nodename,
+ debug => $debug,
+ version => "$version",
+ wtversion => $wtversion,
+ theme => $theme,
+ };
-=head1 SSL Cipher Suite
+ # by default, load the normal index
+ my $dir = $basedirs->{manager};
-You can define the chiper list in /etc/default/pveproxy, for example
+ if ($novnc) {
+ $dir = $basedirs->{novnc};
+ } elsif ($xtermjs) {
+ $dir = $basedirs->{xtermjs};
+ } elsif ($mobile) {
+ $dir = "$basedirs->{manager}/touch";
+ }
- CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
+ my $page = '';
+ my $template = Template->new({ABSOLUTE => 1});
-Above is the default. See the ciphers(1) man page from the openssl
-package for list of all available options.
+ $template->process("$dir/index.html.tpl", $vars, \$page) || die $template->error(), "\n";
-=head1 FILES
+ my $headers = HTTP::Headers->new(Content_Type => "text/html; charset=utf-8");
+ my $resp = HTTP::Response->new(200, "OK", $headers, $page);
- /etc/default/pveproxy
+ return $resp;
+}
-=include pve_copyright
+1;