#!/usr/bin/perl -T $ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin'; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; use strict; use warnings; use English; use Getopt::Long; use POSIX ":sys_wait_h"; use Socket; use IO::Socket::INET; use PVE::SafeSyslog; use PVE::APIDaemon; use HTTP::Response; use Encode; use URI; use URI::QueryParam; use File::Find; use Data::Dumper; use PVE::API2; use PVE::API2::Formatter::Standard; use PVE::API2::Formatter::HTML; use PVE::ExtJSIndex; use PVE::NoVncIndex; my $pidfile = "/var/run/pveproxy/pveproxy.pid"; my $lockfile = "/var/lock/pveproxy.lck"; my $opt_debug; initlog ('pveproxy'); if (!GetOptions ('debug' => \$opt_debug)) { die "usage: $0 [--debug]\n"; } $SIG{'__WARN__'} = sub { my $err = $@; my $t = $_[0]; chomp $t; syslog('warning', "WARNING: %s", $t); $@ = $err; }; $0 = "pveproxy"; # run as www-data my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n"; POSIX::setgid($gid) || die "setgid $gid failed - $!\n"; $EGID = "$gid $gid"; # this calls setgroups my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n"; POSIX::setuid($uid) || die "setuid $uid failed - $!\n"; # just to be sure die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid"); my $proxyconf = PVE::APIDaemon::read_proxy_config(); sub add_dirs { my ($result_hash, $alias, $subdir) = @_; $result_hash->{$alias} = $subdir; my $wanted = sub { my $dir = $File::Find::dir; if ($dir =~m!^$subdir(.*)$!) { my $name = "$alias$1/"; $result_hash->{$name} = "$dir/"; } }; find({wanted => $wanted, follow => 0, no_chdir => 1}, $subdir); } my $cpid; my $daemon; eval { my $dirs = {}; add_dirs($dirs, '/pve2/locale/', '/usr/share/pve-manager/locale/'); add_dirs($dirs, '/pve2/ext4/', '/usr/share/pve-manager/ext4/'); add_dirs($dirs, '/pve2/images/' => '/usr/share/pve-manager/images/'); add_dirs($dirs, '/pve2/css/' => '/usr/share/pve-manager/css/'); add_dirs($dirs, '/pve2/js/' => '/usr/share/pve-manager/js/'); add_dirs($dirs, '/vncterm/' => '/usr/share/vncterm/'); add_dirs($dirs, '/novnc/' => '/usr/share/novnc-pve/'); $daemon = PVE::APIDaemon->new( base_handler_class => 'PVE::API2', port => 8006, keep_alive => 100, max_conn => 500, max_requests => 1000, debug => $opt_debug, allow_from => $proxyconf->{ALLOW_FROM}, deny_from => $proxyconf->{DENY_FROM}, policy => $proxyconf->{POLICY}, trusted_env => 0, # not trusted, anyone can connect logfile => '/var/log/pveproxy/access.log', lockfile => $lockfile, ssl => { cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5', key_file => '/etc/pve/local/pve-ssl.key', cert_file => '/etc/pve/local/pve-ssl.pem', }, # Note: there is no authentication for those pages and dirs! pages => { '/' => \&get_index, # avoid authentication when accessing favicon '/favicon.ico' => { file => '/usr/share/pve-manager/images/favicon.ico', }, }, dirs => $dirs, ); }; my $err = $@; if ($err) { syslog ('err' , "unable to start server: $err"); print STDERR $err; exit (-1); } if ($opt_debug || !($cpid = fork ())) { $SIG{PIPE} = 'IGNORE'; $SIG{INT} = 'IGNORE' if !$opt_debug; $SIG{TERM} = $SIG{QUIT} = sub { syslog ('info' , "server closing"); $SIG{INT} = 'DEFAULT'; unlink "$pidfile" if !$opt_debug; exit (0); }; syslog ('info' , "starting server"); if (!$opt_debug) { # redirect STDIN/STDOUT/SDTERR to /dev/null open STDIN, '/dev/null' || die "can't write /dev/null [$!]"; open STDERR, '>&STDOUT' || die "can't open STDERR to STDOUT [$!]"; } POSIX::setsid(); eval { $daemon->start_server(); }; my $err = $@; if ($err) { syslog ('err' , "unexpected server error: $err"); print STDERR $err if $opt_debug; exit (-1); } } else { open (PIDFILE, ">$pidfile") || die "cant write '$pidfile' - $! :ERROR"; print PIDFILE "$cpid\n"; close (PIDFILE) || die "cant write '$pidfile' - $! :ERROR"; } exit (0); # NOTE: Requests to those pages are not authenticated # so we must be very careful here sub get_index { my ($server, $r, $args) = @_; my $lang = 'en'; my $username; my $token = 'null'; if (my $cookie = $r->header('Cookie')) { if (my $newlang = ($cookie =~ /(?:^|\s)PVELangCookie=([^;]*)/)[0]) { if ($newlang =~ m/^[a-z]{2,3}(_[A-Z]{2,3})?$/) { $lang = $newlang; } } my $ticket = PVE::REST::extract_auth_cookie($cookie); if (($username = PVE::AccessControl::verify_ticket($ticket, 1))) { $token = PVE::AccessControl::assemble_csrf_prevention_token($username); } } $username = '' if !$username; my $page; if (defined($args->{console}) && $args->{novnc}) { $page = PVE::NoVncIndex::get_index($lang, $username, $token, $args->{console}); } else { $page = PVE::ExtJSIndex::get_index($lang, $username, $token, $args->{console}); } my $headers = HTTP::Headers->new(Content_Type => "text/html; charset=utf-8"); my $resp = HTTP::Response->new(200, "OK", $headers, $page); return $resp; } __END__ =head1 NAME pveproxy - the PVE API proxy server =head1 SYNOPSIS pveproxy [--debug] =head1 DESCRIPTION This is the REST API proxy server, listening on port 8006. This is usually started as service using: # service pveproxy start =head1 Host based access control It is possible to configure apache2 like access control lists. Values are read from file /etc/default/pveproxy. For example: ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" DENY_FROM="all" POLICY="allow" IP addresses can be specified using any syntax understoop by Net::IP. The name 'all' is an alias for '0/0'. The default policy is 'allow'. Match | POLICY=deny | POLICY=allow ---------------------------|-------------|------------ Match Allow only | allow | allow Match Deny only | deny | deny No match | deny | allow Match Both Allow & Deny | deny | allow =head1 SSL Cipher Suite You can define the chiper list in /etc/default/pveproxy, for example CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" Above is the default. See the ciphers(1) man page from the openssl package for list of all available options. =head1 FILES /etc/default/pveproxy =head1 COPYRIGHT AND DISCLAIMER Copyright (C) 2007-2013 Proxmox Server Solutions GmbH This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License along with this program. If not, see .