IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
needed to keep tunnel connections alive.
> The Ping frame contains an opcode of 0x9.
> [...]
> The Pong frame contains an opcode of 0xA.
-- Section 5.5.2 cf. https://tools.ietf.org/html/rfc6455#section-5.5.2
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
in order to make websocket proxying feasible as general tunnel, we need
to be able to transfer more than a few MB/s
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
based on idea & RFC by Tim Marx, incorporating feedback by Thomas
Lamprecht. this will be extended to support API tokens in the
Authorization header as well, so make it generic.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
The libanyevent-perl version 7.140-3 included a fix for this.
It migrated to the then still testing (buster was not yet released)
on 07.04.2019, and so we can safely revert this workaround again
here.
Albeit this was fixed since Buster was officially released, still
bump the version dependency to libanyevent-perl in debian/control.
A future libanyevent-perl will use "ffdhe3072" for DH; another good
reason to revert this, to not keep hardcoded parameters with possible
(future) security implications here.
[0]: https://tracker.debian.org/news/1037514/libanyevent-perl-7140-3-migrated-to-testing/
This reverts commit ea574439f7.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
for pmg, we need to send temporary files (for the attachment quarantine),
but we cannot know beforehand what content-type it is, so we
optionally give it to send_file_start
we give a hash with the open filehandle and the content-type in that case
this also removes the unnecessary open on the filename, since we open
it in send_file_start anyway...
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Avoids syslog/journal warning like:
> Use of uninitialized value $v in substitution (s///) at
> /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 648.
If one passes a "value-less" GET argument to a request, e.g.,
GET /?debug
Besides the fact that this allows us to even use such arguments it
also is a general improvement against a slight "syslog DOS attack",
because anybody can pass such parameters to the '/' page, and all
proxmox daemons providing a API/UI using libpve-http-server-perl
allow to do such requests unauthenticated (which itself is OK, as
else one could not show the login window at all). As each of such
request produces two log lines in the syslog/journal it's far from
ideal.
A simple reproducer of the possible outcome can be seen with the
following shell script using curl:
> PVEURL='127.0.0.1'
> ARGS='?a'; # send multiple args at once to amplify the per-connection cost
> for c in {a..z}; do for i in {0..9}; do ARGS="$ARGS&$c$i"; done; done
> while true; do curl --insecure --silent --output /dev/null "https://$PVEURL:8006$ARGS"; done
Not really bad, but not nice either, as logging is not too cheap this
has some resource usage cost and noise in the syslog is never nice.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This fixes the simple-demo, which was regressed with commit
8782148642 were we falsely assumed that
we always have an rpcenv instance here, but actually that's just
optional as it comes from our child class instance
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
avoid removing and unzipping the bootstrap source archive as many
times as ${BTDATA} has file entries, add an intermediate target for
the directory, which is the producer for all those BTDATA files, and
that directory then depends on the zip archive.
I mean, it would be even better to just use the libjs-bootstrap
package (and jQuery for that matter) but that a little bigger change
for now
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Effective the same approach used in libanyevent-perl 7.140-3[0]
Stretch is also compatible with this, and we can remove it for
buster/PVE 6 once the libanyevent-perl package transitioned to
from unstable to buster, until then do it ourself to have a
functioning api/proxy...
[0]: 7f3d5721bb
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
move the read_proxy_conf method into a new perl module
'PVE::APIServer::Utils'.
It now takes the proxy_name (e.g. pveproxy, pmgproxy) as variable to be used
for the configfile location (/etc/default/$proxy_name)
This serves as preparation to make pmgproxy configurable in the same way as
pveproxy.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
compression is set to true by default, and we only want to be able to
switch it off, not force it on.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
By making compression configurable the $nocomp flag in response got set to
the configured (or default) setting, irrespective of the explicitly passed
value to response.
This broke (e.g.) noVNC connections
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Rationale for disabling compression is the potential for being affected by
the BREACH (CVE-2013-3587) attack and it's considered good practice for https
configuration (see e.g. [0]).
The default remains: to have compression enabled for compressible file-types.
[0] https://cipherli.st/
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Needed to fix#2069.
Prefering the ciphers set in the server, instead of relying on the offer of the
client is considered good practice in TLS1.[012] (see e.g. [0]).
[0] https://cipherli.st/
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
commit a4d8bbafbe
introduced an additional empty line after '200 OK'
for remote-viewer 7 to work, but we also have to read this line
in our own proxy reader else the connection to a remote node does
not work
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
the glib implementation of the http proxy correctly checks the
http response (response code, followed by an empty line)
so we need to answer with the correct status
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
AnyEvent checks rbuf_max after calling the callback (too late), so
we can receive larger data, because AnyEvent uses MAX_READ_SIZE=131072
to fill the buffer.
So a more elegant solution is to set $max_payload_size=128*1024. At least
I am not able to receive rbuf larger than 128*1024 now. But I keep the
protection from the previous patch - just to be sure.
