Skip to content

P
pve-manager
Commit 3ffb722d authored by Dietmar Maurer's avatar Dietmar Maurer
Browse files
Options

reuse host based access control code for spiceproxy

parent f3de8a0b
Hide whitespace changes
Inline Side-by-side
Showing with 59 additions and 73 deletions
PVE/APIDaemon.pm
View file @ 3ffb722d
......@@ -5,6 +5,7 @@ use warnings;
use POSIX ":sys_wait_h";
use Socket qw(IPPROTO_TCP TCP_NODELAY SOMAXCONN);
use IO::Socket::INET;
use Net::IP;
use PVE::SafeSyslog;
use PVE::HTTPServer;
......@@ -191,4 +192,38 @@ sub start_server {
}
}
sub read_proxy_config {
my $conffile = "/etc/default/pveproxy";
# Note: evaluate with bash
my $shcmd = ". $conffile;\n";
$shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
$shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
$shcmd .= 'echo \"POLICY:\$POLICY\";';
my $data = `bash -c "$shcmd"`;
my $res = {};
while ($data =~ s/^(.*)\n//) {
my ($key, $value) = split(/:/, $1, 2);
if ($key eq 'ALLOW_FROM' || $key eq 'DENY_FROM') {
my $ips = [];
foreach my $ip (split(/,/, $value)) {
$ip = "0/0" if $ip eq 'all';
push @$ips, Net::IP->new($ip) || die Net::IP::Error() . "\n";
}
$res->{$key} = $ips;
} elsif ($key eq 'POLICY') {
die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
$res->{$key} = $value;
} else {
# silently skip everythin else?
}
}
return $res;
}
1;
bin/init.d/pveproxy
View file @ 3ffb722d
......@@ -31,25 +31,8 @@ DAEMON_OPTS=""
# Include defaults if available
if [ -f /etc/default/$NAME ] ; then
ALLOW_FROM=""
DENY_FROM=""
POLICY=""
. /etc/default/$NAME
if [ -n "$ALLOW_FROM" ] ; then
DAEMON_OPTS="${DAEMON_OPTS} --allow-from ${ALLOW_FROM}"
fi
if [ -n "$DENY_FROM" ] ; then
DAEMON_OPTS="${DAEMON_OPTS} --deny-from ${DENY_FROM}"
fi
if [ -n "$POLICY" ] ; then
DAEMON_OPTS="${DAEMON_OPTS} --policy $POLICY"
fi
fi
case "$1" in
start)
......
bin/init.d/spiceproxy
View file @ 3ffb722d
......@@ -31,25 +31,8 @@ DAEMON_OPTS=""
# Include defaults if available
if [ -f /etc/default/$NAME ] ; then
ALLOW_FROM=""
DENY_FROM=""
POLICY=""
. /etc/default/$NAME
if [ -n "$ALLOW_FROM" ] ; then
DAEMON_OPTS="${DAEMON_OPTS} --allow-from ${ALLOW_FROM}"
fi
if [ -n "$DENY_FROM" ] ; then
DAEMON_OPTS="${DAEMON_OPTS} --deny-from ${DENY_FROM}"
fi
if [ -n "$POLICY" ] ; then
DAEMON_OPTS="${DAEMON_OPTS} --policy $POLICY"
fi
fi
case "$1" in
start)
......
bin/pveproxy
View file @ 3ffb722d
......@@ -18,47 +18,16 @@ use URI;
use URI::QueryParam;
use File::Find;
use Data::Dumper;
use Net::IP;
my $pidfile = "/var/run/pveproxy/pveproxy.pid";
my $lockfile = "/var/lock/pveproxy.lck";
my $opt_debug;
my $opt_allow_from;
my $opt_deny_from;
my $opt_policy;
initlog ('pveproxy');
if (!GetOptions ('allow-from=s@' => \$opt_allow_from,
'deny-from=s@' => \$opt_deny_from,
'policy=s' => \$opt_policy,
'debug' => \$opt_debug)) {
die "usage: $0 [--allow-from CIDR{,CIRD}] [--deny-from CIDR{,CIRD}] [--policy (allow|deny)] [--debug]\n";
}
$opt_deny_from = [ split(/,/, join(',', @$opt_deny_from)) ] if $opt_deny_from;
$opt_allow_from = [ split(/,/, join(',', @$opt_allow_from)) ] if $opt_allow_from;
die "unknown policy '$opt_policy'\n" if $opt_policy && $opt_policy !~ m/^(allow|deny)$/;
if ($opt_deny_from) {
my $ips = [];
foreach my $ip (@$opt_deny_from) {
$ip = "0/0" if $ip eq 'all';
push @$ips, Net::IP->new($ip) || die Net::IP::Error() . "\n";
}
$opt_deny_from = $ips;
}
if ($opt_allow_from) {
my $ips = [];
foreach my $ip (@$opt_allow_from) {
$ip = "0/0" if $ip eq 'all';
push @$ips, Net::IP->new($ip) || die Net::IP::Error() . "\n";
}
$opt_allow_from = $ips;
if (!GetOptions ('debug' => \$opt_debug)) {
die "usage: $0 [--debug]\n";
}
$SIG{'__WARN__'} = sub {
......@@ -81,6 +50,8 @@ POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
# just to be sure
die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
my $proxyconf = PVE::APIDaemon::read_proxy_config();
sub add_dirs {
my ($result_hash, $alias, $subdir) = @_;
......@@ -114,9 +85,9 @@ eval {
max_conn => 500,
max_requests => 1000,
debug => $opt_debug,
allow_from => $opt_allow_from,
deny_from => $opt_deny_from,
policy => $opt_policy,
allow_from => $proxyconf->{ALLOW_FROM},
deny_from => $proxyconf->{DENY_FROM},
policy => $proxyconf->{POLICY},
trusted_env => 0, # not trusted, anyone can connect
logfile => '/var/log/pveproxy/access.log',
lockfile => $lockfile,
......@@ -286,7 +257,7 @@ pveproxy - the PVE API proxy server
=head1 SYNOPSIS
pveproxy [--allow-from CIDR{,CIRD}] [--deny-from CIDR{,CIRD}] [--policy (allow|deny)] [--debug]
pveproxy [--debug]
=head1 DESCRIPTION
......@@ -297,8 +268,7 @@ as service using:
=head1 Host based access control
Options '--allow-from', '--deny-from' and '--policy' can be used to set up
apache2 like access control. If started as service, those values are read
It is possible to configure apache2 like access control lists. Values are read
from file /etc/default/pveproxy. For example:
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
......
bin/spiceproxy
View file @ 3ffb722d
......@@ -44,6 +44,9 @@ POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
# just to be sure
die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
# we use same ALLOW/DENY/POLICY as pveproxy
my $proxyconf = PVE::APIDaemon::read_proxy_config();
my $cpid;
my $daemon;
eval {
......@@ -56,6 +59,9 @@ eval {
debug => $opt_debug,
spiceproxy => 1,
logfile => '/var/log/pveproxy/access.log',
allow_from => $proxyconf->{ALLOW_FROM},
deny_from => $proxyconf->{DENY_FROM},
policy => $proxyconf->{POLICY},
);
};
......@@ -129,6 +135,15 @@ spiceproxy [--debug]
SPICE proxy server for Proxmox VE. Listens on port 3128.
=head1 Host based access control
It is possible to configure apache2 like access control lists. Values are read
from file /etc/default/pveproxy (see 'pveproxy' for details).
=head1 FILES
/etc/default/pveproxy
=head1 COPYRIGHT AND DISCLAIMER
Copyright (C) 2007-2013 Proxmox Server Solutions GmbH
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023