Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
P
pve-manager
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Administrator
pve-manager
Commits
b86b0d29
Commit
b86b0d29
authored
Sep 04, 2015
by
Dietmar Maurer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
convert pveproxy into a PVE::Service class
parent
56a626d1
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
282 additions
and
262 deletions
+282
-262
Makefile
PVE/Service/Makefile
+10
-0
pveproxy.pm
PVE/Service/pveproxy.pm
+261
-0
Makefile
bin/Makefile
+8
-2
pveproxy
bin/pveproxy
+3
-260
No files found.
PVE/Service/Makefile
0 → 100644
View file @
b86b0d29
include
../../defines.mk
SOURCES
=
pvestatd.pm pveproxy.pm
.PHONY
:
install
install
:
${SOURCES}
install
-d
-m
0755
${
PERLLIBDIR
}
/PVE/Service
for
i
in
${
SOURCES
}
;
do
install
-D
-m
0644
$$
i
${
PERLLIBDIR
}
/PVE/Service/
$$
i
;
done
clean
:
PVE/Service/pveproxy.pm
0 → 100755
View file @
b86b0d29
package
PVE::Service::
pveproxy
;
use
strict
;
use
warnings
;
use
PVE::
SafeSyslog
;
use
PVE::
Daemon
;
use
HTTP::
Response
;
use
Encode
;
use
URI
;
use
URI::
QueryParam
;
use
File::
Find
;
use
Data::
Dumper
;
use
PVE::
API2Tools
;
use
PVE::
API2
;
use
PVE::API2::Formatter::
Standard
;
use
PVE::API2::Formatter::
HTML
;
use
PVE::
HTTPServer
;
use
PVE::
ExtJSIndex
;
use
PVE::
ExtJSIndex5
;
use
PVE::
NoVncIndex
;
use
PVE::
TouchIndex
;
use
PVE::
Tools
;
use
base
qw(PVE::Daemon)
;
my
$cmdline
=
[
$0
,
@ARGV
];
my
%
daemon_options
=
(
max_workers
=>
3
,
restart_on_error
=>
5
,
stop_wait_time
=>
15
,
leave_children_open_on_reload
=>
1
,
setuid
=>
'
www-data
',
setgid
=>
'
www-data
',
pidfile
=>
'
/var/run/pveproxy/pveproxy.pid
',
);
my
$daemon
=
__PACKAGE__
->
new
('
pveproxy
',
$cmdline
,
%
daemon_options
);
sub
add_dirs
{
my
(
$result_hash
,
$alias
,
$subdir
)
=
@_
;
$result_hash
->
{
$alias
}
=
$subdir
;
my
$wanted
=
sub
{
my
$dir
=
$
File::Find::
dir
;
if
(
$dir
=~
m!^$subdir(.*)$!
)
{
my
$name
=
"
$alias
$1/
";
$result_hash
->
{
$name
}
=
"
$dir
/
";
}
};
find
({
wanted
=>
$wanted
,
follow
=>
0
,
no_chdir
=>
1
},
$subdir
);
}
sub
init
{
my
(
$self
)
=
@_
;
# we use same ALLOW/DENY/POLICY as pveproxy
my
$proxyconf
=
PVE::API2Tools::
read_proxy_config
();
my
$accept_lock_fn
=
"
/var/lock/pveproxy.lck
";
my
$lockfh
=
IO::
File
->
new
("
>>
${accept_lock_fn}
")
||
die
"
unable to open lock file '
${accept_lock_fn}
' - $!
\n
";
my
$family
=
PVE::Tools::
get_host_address_family
(
$self
->
{
nodename
});
my
$socket
=
$self
->
create_reusable_socket
(
8006
,
undef
,
$family
);
my
$dirs
=
{};
add_dirs
(
$dirs
,
'
/pve2/locale/
',
'
/usr/share/pve-manager/locale/
');
add_dirs
(
$dirs
,
'
/pve2/touch/
',
'
/usr/share/pve-manager/touch/
');
add_dirs
(
$dirs
,
'
/pve2/ext4/
',
'
/usr/share/pve-manager/ext4/
');
add_dirs
(
$dirs
,
'
/pve2/ext5/
',
'
/usr/share/pve-manager/ext5/
');
add_dirs
(
$dirs
,
'
/pve2/manager5/
',
'
/usr/share/pve-manager/manager5/
');
add_dirs
(
$dirs
,
'
/pve2/images/
'
=>
'
/usr/share/pve-manager/images/
');
add_dirs
(
$dirs
,
'
/pve2/css/
'
=>
'
/usr/share/pve-manager/css/
');
add_dirs
(
$dirs
,
'
/pve2/js/
'
=>
'
/usr/share/pve-manager/js/
');
add_dirs
(
$dirs
,
'
/vncterm/
'
=>
'
/usr/share/vncterm/
');
add_dirs
(
$dirs
,
'
/novnc/
'
=>
'
/usr/share/novnc-pve/
');
$self
->
{
server_config
}
=
{
base_handler_class
=>
'
PVE::API2
',
keep_alive
=>
100
,
max_conn
=>
500
,
max_requests
=>
1000
,
lockfile
=>
$accept_lock_fn
,
socket
=>
$socket
,
lockfh
=>
$lockfh
,
debug
=>
$self
->
{
debug
},
trusted_env
=>
0
,
# not trusted, anyone can connect
logfile
=>
'
/var/log/pveproxy/access.log
',
allow_from
=>
$proxyconf
->
{
ALLOW_FROM
},
deny_from
=>
$proxyconf
->
{
DENY_FROM
},
policy
=>
$proxyconf
->
{
POLICY
},
ssl
=>
{
# Note: older versions are considered insecure, for example
# search for "Poodle"-Attac
method
=>
'
tlsv1
',
sslv2
=>
0
,
sslv3
=>
0
,
cipher_list
=>
$proxyconf
->
{
CIPHERS
}
||
'
HIGH:MEDIUM:!aNULL:!MD5
',
key_file
=>
'
/etc/pve/local/pve-ssl.key
',
cert_file
=>
'
/etc/pve/local/pve-ssl.pem
',
},
# Note: there is no authentication for those pages and dirs!
pages
=>
{
'
/
'
=>
\&
get_index
,
# avoid authentication when accessing favicon
'
/favicon.ico
'
=>
{
file
=>
'
/usr/share/pve-manager/images/favicon.ico
',
},
},
dirs
=>
$dirs
,
};
}
sub
run
{
my
(
$self
)
=
@_
;
my
$server
=
PVE::
HTTPServer
->
new
(
%
{
$self
->
{
server_config
}});
$server
->
run
();
}
$daemon
->
register_start_command
();
$daemon
->
register_restart_command
(
1
);
$daemon
->
register_stop_command
();
$daemon
->
register_status_command
();
our
$cmddef
=
{
start
=>
[
__PACKAGE__
,
'
start
',
[]
],
restart
=>
[
__PACKAGE__
,
'
restart
',
[]
],
stop
=>
[
__PACKAGE__
,
'
stop
',
[]
],
status
=>
[
__PACKAGE__
,
'
status
',
[]
,
undef
,
sub
{
print
shift
.
"
\n
";}
],
};
sub
is_phone
{
my
(
$ua
)
=
@_
;
return
0
if
!
$ua
;
return
1
if
$ua
=~
m/(iPhone|iPod|Windows Phone)/
;
if
(
$ua
=~
m/Mobile(\/|\s)/
)
{
return
1
if
$ua
=~
m/(BlackBerry|BB)/
;
return
1
if
(
$ua
=~
m/(Android)/
)
&&
(
$ua
!~
m/(Silk)/
);
}
return
0
;
}
# NOTE: Requests to those pages are not authenticated
# so we must be very careful here
sub
get_index
{
my
(
$server
,
$r
,
$args
)
=
@_
;
my
$lang
=
'
en
';
my
$username
;
my
$token
=
'
null
';
if
(
my
$cookie
=
$r
->
header
('
Cookie
'))
{
if
(
my
$newlang
=
(
$cookie
=~
/(?:^|\s)PVELangCookie=([^;]*)/
)[
0
])
{
if
(
$newlang
=~
m/^[a-z]{2,3}(_[A-Z]{2,3})?$/
)
{
$lang
=
$newlang
;
}
}
my
$ticket
=
PVE::REST::
extract_auth_cookie
(
$cookie
);
if
((
$username
=
PVE::AccessControl::
verify_ticket
(
$ticket
,
1
)))
{
$token
=
PVE::AccessControl::
assemble_csrf_prevention_token
(
$username
);
}
}
$username
=
''
if
!
$username
;
my
$mobile
=
is_phone
(
$r
->
header
('
User-Agent
'))
?
1
:
0
;
if
(
defined
(
$args
->
{
mobile
}))
{
$mobile
=
$args
->
{
mobile
}
?
1
:
0
;
}
my
$ext5
;
if
(
defined
(
$args
->
{
ext5
}))
{
$ext5
=
$args
->
{
ext5
}
?
1
:
0
;
}
my
$page
;
if
(
defined
(
$args
->
{
console
})
&&
$args
->
{
novnc
})
{
$page
=
PVE::NoVncIndex::
get_index
(
$lang
,
$username
,
$token
,
$args
->
{
console
});
}
elsif
(
$mobile
)
{
$page
=
PVE::TouchIndex::
get_index
(
$lang
,
$username
,
$token
,
$args
->
{
console
});
}
elsif
(
$ext5
)
{
$page
=
PVE::ExtJSIndex5::
get_index
(
$lang
,
$username
,
$token
,
$args
->
{
console
});
}
else
{
$page
=
PVE::ExtJSIndex::
get_index
(
$lang
,
$username
,
$token
,
$args
->
{
console
});
}
my
$headers
=
HTTP::
Headers
->
new
(
Content_Type
=>
"
text/html; charset=utf-8
");
my
$resp
=
HTTP::
Response
->
new
(
200
,
"
OK
",
$headers
,
$page
);
return
$resp
;
}
1
;
__END__
=head1 NAME
pveproxy - the PVE API proxy server
=head1 SYNOPSIS
=include synopsis
=head1 DESCRIPTION
This is the REST API proxy server, listening on port 8006. This is usually
started as service using:
# service pveproxy start
=head1 Host based access control
It is possible to configure apache2 like access control lists. Values are read
from file /etc/default/pveproxy. For example:
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
IP addresses can be specified using any syntax understoop by Net::IP. The
name 'all' is an alias for '0/0'.
The default policy is 'allow'.
Match | POLICY=deny | POLICY=allow
---------------------------|-------------|------------
Match Allow only | allow | allow
Match Deny only | deny | deny
No match | deny | allow
Match Both Allow & Deny | deny | allow
=head1 SSL Cipher Suite
You can define the chiper list in /etc/default/pveproxy, for example
CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
Above is the default. See the ciphers(1) man page from the openssl
package for list of all available options.
=head1 FILES
/etc/default/pveproxy
=include pve_copyright
bin/Makefile
View file @
b86b0d29
...
...
@@ -49,7 +49,10 @@ pvedaemon.1.pod: pvedaemon
perl
-I
..
-T
./pvedaemon printmanpod
>
$@
pveproxy.1.pod
:
pveproxy
perl
-I
..
-T
./pveproxy printmanpod
>
$@
perl
-I
..
-T
-e
"use PVE::Service::pveproxy; PVE::Service::pveproxy->generate_pod_manpage();"
>
$@
pveproxy.bash-completion
:
perl
-I
..
-T
-e
"use PVE::Service::pveproxy; PVE::Service::pveproxy->generate_bash_completions();"
>
$@
spiceproxy.1.pod
:
spiceproxy
perl
-I
..
-T
./spiceproxy printmanpod
>
$@
...
...
@@ -76,9 +79,11 @@ pvemailforward: pvemailforward.c
gcc
$<
-o
$@
-g
-O2
-Wall
-ldl
-lc
.PHONY
:
install
install
:
${SCRIPTS} ${MANS} pvemailforward vzdump.bash-completion pvestatd.bash-completion
install
:
${SCRIPTS} ${MANS} pvemailforward vzdump.bash-completion pvestatd.bash-completion
pveproxy.bash-completion
perl -I.. -T -e "use PVE
::
CLI::vzdump; PVE::CLI::vzdump->verify_api();"
perl
-I
..
-T
-e
"use PVE::Service::pvestatd; PVE::Service::pvestatd->verify_api();"
perl
-I
..
-T
-e
"use PVE::Service::pveproxy; PVE::Service::pveproxy->verify_api();"
perl
-I
.. ./pvesh verifyapi
install
-d
${
BINDIR
}
install
-m
0755
${
SCRIPTS
}
${
BINDIR
}
...
...
@@ -90,6 +95,7 @@ install: ${SCRIPTS} ${MANS} pvemailforward vzdump.bash-completion pvestatd.bash-
install
-m
0644 pvesubscription.1.pod
${
PODDIR
}
install
-m
0644
-D
vzdump.bash-completion
${
BASHCOMPLDIR
}
/vzdump
install
-m
0644
-D
pvestatd.bash-completion
${
BASHCOMPLDIR
}
/pvestatd
install
-m
0644
-D
pveproxy.bash-completion
${
BASHCOMPLDIR
}
/pveproxy
set
-e
&&
for
i
in
${
SUBDIRS
}
;
do
${
MAKE
}
-C
$$
i
$@
;
done
.PHONY
:
distclean
...
...
bin/pveproxy
View file @
b86b0d29
...
...
@@ -7,28 +7,7 @@ delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
use
strict
;
use
warnings
;
use
PVE
::
SafeSyslog
;
use
PVE
::
Daemon
;
use
HTTP
::
Response
;
use
Encode
;
use
URI
;
use
URI
::
QueryParam
;
use
File
::
Find
;
use
Data
::
Dumper
;
use
PVE
::
API2Tools
;
use
PVE
::
API2
;
use
PVE
::
API2
::
Formatter
::
Standard
;
use
PVE
::
API2
::
Formatter
::
HTML
;
use
PVE
::
HTTPServer
;
use
PVE
::
ExtJSIndex
;
use
PVE
::
ExtJSIndex5
;
use
PVE
::
NoVncIndex
;
use
PVE
::
TouchIndex
;
use
PVE
::
Tools
;
use
base
qw
(
PVE
::
Daemon
);
use
PVE::Service::
pveproxy
;
$SIG
{'
__WARN__
'}
=
sub
{
my
$err
=
$@
;
...
...
@@ -39,249 +18,13 @@ $SIG{'__WARN__'} = sub {
$@
=
$err
;
};
my
$
cmdline
=
[$
0
,
@
ARGV
];
my
%
daemon_options
=
(
max_workers
=>
3
,
restart_on_error
=>
5
,
stop_wait_time
=>
15
,
leave_children_open_on_reload
=>
1
,
setuid
=>
'www-data'
,
setgid
=>
'www-data'
,
pidfile
=>
'/var/run/pveproxy/pveproxy.pid'
,
);
my
$
daemon
=
__PACKAGE__
->
new
(
'pveproxy'
,
$
cmdline
,
%
daemon_options
);
sub
prepare
{
my
$prepare
=
sub
{
my
$rundir
=
"
/var/run/pveproxy
";
if
(
mkdir
(
$rundir
,
0700
))
{
# only works at first start if we are root)
my
$gid
=
getgrnam
('
www-data
')
||
die
"
getgrnam failed - $!
\n
";
my
$uid
=
getpwnam
('
www-data
')
||
die
"
getpwnam failed - $!
\n
";
chown
(
$uid
,
$gid
,
$rundir
);
}
}
sub
add_dirs
{
my
($
result_hash
,
$
alias
,
$
subdir
)
=
@
_
;
$
result_hash
->{$
alias
}
=
$
subdir
;
my
$
wanted
=
sub
{
my
$
dir
=
$
File
::
Find
::
dir
;
if
($
dir
=~
m
!^$subdir(.*)$!) {
my
$
name
=
"$alias$1/"
;
$
result_hash
->{$
name
}
=
"$dir/"
;
}
};
find
({
wanted
=>
$
wanted
,
follow
=>
0
,
no_chdir
=>
1
},
$
subdir
);
}
sub
init
{
my
($
self
)
=
@
_
;
#
we
use
same
ALLOW
/
DENY
/
POLICY
as
pveproxy
my
$
proxyconf
=
PVE
::
API2Tools
::
read_proxy_config
();
my
$
accept_lock_fn
=
"/var/lock/pveproxy.lck"
;
my
$
lockfh
=
IO
::
File
->
new
(
">>${accept_lock_fn}"
)
||
die
"unable to open lock file '${accept_lock_fn}' - $!
\n
"
;
my
$
family
=
PVE
::
Tools
::
get_host_address_family
($
self
->{
nodename
});
my
$
socket
=
$
self
->
create_reusable_socket
(
8006
,
undef
,
$
family
);
my
$
dirs
=
{};
add_dirs
($
dirs
,
'/pve2/locale/'
,
'/usr/share/pve-manager/locale/'
);
add_dirs
($
dirs
,
'/pve2/touch/'
,
'/usr/share/pve-manager/touch/'
);
add_dirs
($
dirs
,
'/pve2/ext4/'
,
'/usr/share/pve-manager/ext4/'
);
add_dirs
($
dirs
,
'/pve2/ext5/'
,
'/usr/share/pve-manager/ext5/'
);
add_dirs
($
dirs
,
'/pve2/manager5/'
,
'/usr/share/pve-manager/manager5/'
);
add_dirs
($
dirs
,
'/pve2/images/'
=>
'/usr/share/pve-manager/images/'
);
add_dirs
($
dirs
,
'/pve2/css/'
=>
'/usr/share/pve-manager/css/'
);
add_dirs
($
dirs
,
'/pve2/js/'
=>
'/usr/share/pve-manager/js/'
);
add_dirs
($
dirs
,
'/vncterm/'
=>
'/usr/share/vncterm/'
);
add_dirs
($
dirs
,
'/novnc/'
=>
'/usr/share/novnc-pve/'
);
$
self
->{
server_config
}
=
{
base_handler_class
=>
'PVE::API2'
,
keep_alive
=>
100
,
max_conn
=>
500
,
max_requests
=>
1000
,
lockfile
=>
$
accept_lock_fn
,
socket
=>
$
socket
,
lockfh
=>
$
lockfh
,
debug
=>
$
self
->{
debug
},
trusted_env
=>
0
,
#
not
trusted
,
anyone
can
connect
logfile
=>
'/var/log/pveproxy/access.log'
,
allow_from
=>
$
proxyconf
->{
ALLOW_FROM
},
deny_from
=>
$
proxyconf
->{
DENY_FROM
},
policy
=>
$
proxyconf
->{
POLICY
},
ssl
=>
{
#
Note
:
older
versions
are
considered
insecure
,
for
example
#
search
for
"Poodle"
-
Attac
method
=>
'tlsv1'
,
sslv2
=>
0
,
sslv3
=>
0
,
cipher_list
=>
$
proxyconf
->{
CIPHERS
}
||
'HIGH:MEDIUM:!aNULL:!MD5'
,
key_file
=>
'/etc/pve/local/pve-ssl.key'
,
cert_file
=>
'/etc/pve/local/pve-ssl.pem'
,
},
#
Note
:
there
is
no
authentication
for
those
pages
and
dirs
!
pages
=>
{
'/'
=>
\&
get_index
,
#
avoid
authentication
when
accessing
favicon
'/favicon.ico'
=>
{
file
=>
'/usr/share/pve-manager/images/favicon.ico'
,
},
},
dirs
=>
$
dirs
,
};
}
sub
run
{
my
($
self
)
=
@
_
;
my
$
server
=
PVE
::
HTTPServer
->
new
(%{$
self
->{
server_config
}});
$
server
->
run
();
}
$
daemon
->
register_start_command
();
$
daemon
->
register_restart_command
(
1
);
$
daemon
->
register_stop_command
();
$
daemon
->
register_status_command
();
my
$
cmddef
=
{
start
=>
[
__PACKAGE__
,
'start'
,
[]],
restart
=>
[
__PACKAGE__
,
'restart'
,
[]],
stop
=>
[
__PACKAGE__
,
'stop'
,
[]],
status
=>
[
__PACKAGE__
,
'status'
,
[],
undef
,
sub
{
print
shift
.
"
\n
"
;}
],
};
my
$
cmd
=
shift
;
PVE
::
CLIHandler
::
handle_cmd
($
cmddef
,
$
0
,
$
cmd
,
\@
ARGV
,
undef
,
$
0
,
\&
prepare
);
exit
(
0
);
sub
is_phone
{
my
($
ua
)
=
@
_
;
return
0
if
!$ua;
return
1
if
$
ua
=~
m
/(
iPhone
|
iPod
|
Windows
Phone
)/;
if
($
ua
=~
m
/
Mobile
(\/|\
s
)/)
{
return
1
if
$
ua
=~
m
/(
BlackBerry
|
BB
)/;
return
1
if
($
ua
=~
m
/(
Android
)/)
&&
($
ua
!~ m/(Silk)/);
}
return
0
;
}
#
NOTE
:
Requests
to
those
pages
are
not
authenticated
#
so
we
must
be
very
careful
here
sub
get_index
{
my
($
server
,
$
r
,
$
args
)
=
@
_
;
my
$
lang
=
'en'
;
my
$
username
;
my
$
token
=
'null'
;
if
(
my
$
cookie
=
$
r
->
header
(
'Cookie'
))
{
if
(
my
$
newlang
=
($
cookie
=~
/(?:^|\
s
)
PVELangCookie
=([^;]*)/)[
0
])
{
if
($
newlang
=~
m
/^[
a
-
z
]{
2
,
3
}(
_
[
A
-
Z
]{
2
,
3
})?$/)
{
$
lang
=
$
newlang
;
}
}
my
$
ticket
=
PVE
::
REST
::
extract_auth_cookie
($
cookie
);
if
(($
username
=
PVE
::
AccessControl
::
verify_ticket
($
ticket
,
1
)))
{
$
token
=
PVE
::
AccessControl
::
assemble_csrf_prevention_token
($
username
);
}
}
$
username
=
''
if
!$username;
my
$
mobile
=
is_phone
($
r
->
header
(
'User-Agent'
))
?
1
:
0
;
if
(
defined
($
args
->{
mobile
}))
{
$
mobile
=
$
args
->{
mobile
}
?
1
:
0
;
}
my
$
ext5
;
if
(
defined
($
args
->{
ext5
}))
{
$
ext5
=
$
args
->{
ext5
}
?
1
:
0
;
}
my
$
page
;
if
(
defined
($
args
->{
console
})
&&
$
args
->{
novnc
})
{
$
page
=
PVE
::
NoVncIndex
::
get_index
($
lang
,
$
username
,
$
token
,
$
args
->{
console
});
}
elsif
($
mobile
)
{
$
page
=
PVE
::
TouchIndex
::
get_index
($
lang
,
$
username
,
$
token
,
$
args
->{
console
});
}
elsif
($
ext5
)
{
$
page
=
PVE
::
ExtJSIndex5
::
get_index
($
lang
,
$
username
,
$
token
,
$
args
->{
console
});
}
else
{
$
page
=
PVE
::
ExtJSIndex
::
get_index
($
lang
,
$
username
,
$
token
,
$
args
->{
console
});
}
my
$
headers
=
HTTP
::
Headers
->
new
(
Content_Type
=>
"text/html; charset=utf-8"
);
my
$
resp
=
HTTP
::
Response
->
new
(
200
,
"OK"
,
$
headers
,
$
page
);
return
$
resp
;
}
__END__
=
head1
NAME
pveproxy
-
the
PVE
API
proxy
server
=
head1
SYNOPSIS
=
include
synopsis
=
head1
DESCRIPTION
This
is
the
REST
API
proxy
server
,
listening
on
port
8006.
This
is
usually
started
as
service
using
:
#
service
pveproxy
start
=
head1
Host
based
access
control
It
is
possible
to
configure
apache2
like
access
control
lists
.
Values
are
read
from
file
/
etc
/
default
/
pveproxy
.
For
example
:
ALLOW_FROM
=
"10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM
=
"all"
POLICY
=
"allow"
IP
addresses
can
be
specified
using
any
syntax
understoop
by
Net
::
IP
.
The
name
'all'
is
an
alias
for
'0/0'
.
The
default
policy
is
'allow'
.
Match
|
POLICY
=
deny
|
POLICY
=
allow
---------------------------|-------------|------------
Match
Allow
only
|
allow
|
allow
Match
Deny
only
|
deny
|
deny
No
match
|
deny
|
allow
Match
Both
Allow
&
Deny
|
deny
|
allow
=
head1
SSL
Cipher
Suite
You
can
define
the
chiper
list
in
/
etc
/
default
/
pveproxy
,
for
example
CIPHERS
=
"HIGH:MEDIUM:!aNULL:!MD5"
Above
is
the
default
.
See
the
ciphers
(
1
)
man
page
from
the
openssl
package
for
list
of
all
available
options
.
=
head1
FILES
/
etc
/
default
/
pveproxy
=
include
pve_copyright
PVE::Service::
pveproxy
->
run_cli
(
undef
,
undef
,
$prepare
);
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment