* [pve-devel] [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP
@ 2024-12-12 3:27 Thomas Skinner
2024-12-12 3:27 ` [pve-devel] [PATCH docs v2 1/3] fix #5699: pveproxy: add docs for real IP support Thomas Skinner
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Thomas Skinner @ 2024-12-12 3:27 UTC (permalink / raw)
To: pve-devel; +Cc: Thomas Skinner
This v2 patch series continues adding support for setting a HTTP header for passing through a client IP
address for logging purposes.
Changes since v1:
* fixed styling issues
* renamed fields to clearer, more appropriate names
* adjusted logging format back to previous, made option opt-in
pve-docs:
Thomas Skinner (1):
fix #5699: pveproxy: add docs for real IP support
pveproxy.adoc | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
pve-http-server:
Thomas Skinner (1):
fix #5699: pveproxy: add library methods for real IP support
src/PVE/APIServer/AnyEvent.pm | 38 ++++++++++++++++++++++++++++++++++-
src/PVE/APIServer/Utils.pm | 15 ++++++++++++++
2 files changed, 52 insertions(+), 1 deletion(-)
pve-manager:
Thomas Skinner (1):
fix #5699: pveproxy: add settings for real IP support
PVE/Service/pveproxy.pm | 2 ++
1 file changed, 2 insertions(+)
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH docs v2 1/3] fix #5699: pveproxy: add docs for real IP support
2024-12-12 3:27 [pve-devel] [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP Thomas Skinner
@ 2024-12-12 3:27 ` Thomas Skinner
2024-12-12 3:27 ` [pve-devel] [PATCH http-server v2 2/3] fix #5699: pveproxy: add library methods " Thomas Skinner
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Skinner @ 2024-12-12 3:27 UTC (permalink / raw)
To: pve-devel; +Cc: Thomas Skinner
Signed-off-by: Thomas Skinner <thomas@atskinner.net>
---
pveproxy.adoc | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/pveproxy.adoc b/pveproxy.adoc
index 4b5dac0..29f54d7 100644
--- a/pveproxy.adoc
+++ b/pveproxy.adoc
@@ -198,6 +198,35 @@ content, if the client supports it. This can disabled in `/etc/default/pveproxy`
COMPRESSION=0
+[[pveproxy_real_ip]]
+Real Client IP Logging
+----------------------
+
+By default, `pveproxy` logs the IP address of the client that sent the request.
+In cases where a proxy server is in front of `pveproxy`, it may be desirable to
+log the IP of the client making the request instead of the proxy IP.
+
+To enable processing of a HTTP header set by the proxy for logging purposes, set
+`PROXY_REAL_IP_HEADER` to the name of the header to retrieve the client IP from. For
+example:
+
+ PROXY_REAL_IP_HEADER="X-Forwarded-For"
+
+Any invalid values passed in this header will be ignored.
+
+The default behavior is log the value in this header on all incoming requests.
+To define a list of proxy servers that should be trusted to set the above HTTP
+header, set `PROXY_REAL_IP_ALLOW_FROM`, for example:
+
+ PROXY_REAL_IP_ALLOW_FROM="192.168.0.2"
+
+The `PROXY_REAL_IP_ALLOW_FROM` setting also supports values similar to the `ALLOW_FROM`
+and `DENY_FROM` settings.
+
+IP addresses can be specified using any syntax understood by `Net::IP`. The
+name `all` is an alias for `0/0` and `::/0` (meaning all IPv4 and IPv6
+addresses).
+
ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH http-server v2 2/3] fix #5699: pveproxy: add library methods for real IP support
2024-12-12 3:27 [pve-devel] [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP Thomas Skinner
2024-12-12 3:27 ` [pve-devel] [PATCH docs v2 1/3] fix #5699: pveproxy: add docs for real IP support Thomas Skinner
@ 2024-12-12 3:27 ` Thomas Skinner
2024-12-12 3:27 ` [pve-devel] [PATCH manager v2 3/3] fix #5699: pveproxy: add settings " Thomas Skinner
2025-01-24 8:53 ` [pve-devel] applied-series: [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Skinner @ 2024-12-12 3:27 UTC (permalink / raw)
To: pve-devel; +Cc: Thomas Skinner
Signed-off-by: Thomas Skinner <thomas@atskinner.net>
---
src/PVE/APIServer/AnyEvent.pm | 38 ++++++++++++++++++++++++++++++++++-
src/PVE/APIServer/Utils.pm | 15 ++++++++++++++
2 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 24209a1..5f15a13 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -92,13 +92,14 @@ sub log_request {
$loginfo->{written} = 1;
my $peerip = $reqstate->{peer_host} || '-';
+ my $realip = $loginfo->{real_ip} || $peerip;
my $userid = $loginfo->{userid} || '-';
my $content_length = defined($loginfo->{content_length}) ? $loginfo->{content_length} : '-';
my $code = $loginfo->{code} || 500;
my $requestline = $loginfo->{requestline} || '-';
my $timestr = strftime("%d/%m/%Y:%H:%M:%S %z", localtime());
- my $msg = "$peerip - $userid [$timestr] \"$requestline\" $code $content_length\n";
+ my $msg = "$realip - $userid [$timestr] \"$requestline\" $code $content_length\n";
$self->write_log($msg);
}
@@ -1474,6 +1475,18 @@ sub authenticate_and_handle_request {
my $auth = {};
+ if (my $proxy_real_ip_header = $self->{proxy_real_ip_header}) {
+ if (my $proxy_real_ip_value = $request->header($proxy_real_ip_header)) {
+ my $real_ip = Net::IP->new($proxy_real_ip_value);
+ if (defined($real_ip) && $self->check_allowed_proxy($reqstate->{peer_host})) {
+ $reqstate->{log}->{real_ip} = Net::IP::ip_compress_address(
+ $real_ip->ip(),
+ $real_ip->version(),
+ );
+ }
+ }
+ }
+
if ($self->{spiceproxy}) {
my $connect_str = $request->header('Host');
my ($vmid, $node, $port) = $self->verify_spice_connect_url($connect_str);
@@ -1813,6 +1826,29 @@ sub check_host_access {
return $match_allow;
}
+sub check_allowed_proxy {
+ my ($self, $client_ip) = @_;
+
+ $client_ip = PVE::APIServer::Utils::normalize_v4_in_v6($client_ip);
+ my $client_ip_object = Net::IP->new($client_ip);
+
+ if (!$client_ip_object) {
+ $self->dprint("client IP not parsable: $@");
+ return 0;
+ }
+
+ if (my $proxy_real_ip_allow_from = $self->{proxy_real_ip_allow_from}) {
+ for my $allowed_net ($proxy_real_ip_allow_from->@*) {
+ if ($allowed_net->overlaps($client_ip_object)) {
+ $self->dprint("client IP in allowed proxies: ". $allowed_net->print());
+ return 1;
+ }
+ }
+ return 0;
+ }
+ return 1;
+}
+
sub accept_connections {
my ($self) = @_;
diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm
index 5728d97..75f72a1 100644
--- a/src/PVE/APIServer/Utils.pm
+++ b/src/PVE/APIServer/Utils.pm
@@ -26,6 +26,8 @@ sub read_proxy_config {
$shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
$shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";';
$shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";';
+ $shcmd .= 'echo \"PROXY_REAL_IP_HEADER:\$PROXY_REAL_IP_HEADER\";';
+ $shcmd .= 'echo \"PROXY_REAL_IP_ALLOW_FROM:\$PROXY_REAL_IP_ALLOW_FROM\";';
my $data = -f $conffile ? `bash -c "$shcmd"` : '';
@@ -65,6 +67,19 @@ sub read_proxy_config {
$res->{$key} = $value;
} elsif ($key eq 'TLS_KEY_FILE') {
$res->{$key} = $value;
+ } elsif ($key eq 'PROXY_REAL_IP_HEADER') {
+ $res->{$key} = $value;
+ } elsif ($key eq 'PROXY_REAL_IP_ALLOW_FROM') {
+ my $ips = [];
+ for my $ip (split(/,/, $value)) {
+ if ($ip eq 'all') {
+ push @$ips, Net::IP->new('0/0') || die Net::IP::Error() . "\n";
+ push @$ips, Net::IP->new('::/0') || die Net::IP::Error() . "\n";
+ next;
+ }
+ push @$ips, Net::IP->new(normalize_v4_in_v6($ip)) || die Net::IP::Error() . "\n";
+ }
+ $res->{$key} = $ips;
} elsif (grep { $key eq $_ } @$boolean_options) {
die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/;
$res->{$key} = $value;
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] [PATCH manager v2 3/3] fix #5699: pveproxy: add settings for real IP support
2024-12-12 3:27 [pve-devel] [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP Thomas Skinner
2024-12-12 3:27 ` [pve-devel] [PATCH docs v2 1/3] fix #5699: pveproxy: add docs for real IP support Thomas Skinner
2024-12-12 3:27 ` [pve-devel] [PATCH http-server v2 2/3] fix #5699: pveproxy: add library methods " Thomas Skinner
@ 2024-12-12 3:27 ` Thomas Skinner
2025-01-24 8:53 ` [pve-devel] applied-series: [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Thomas Skinner @ 2024-12-12 3:27 UTC (permalink / raw)
To: pve-devel; +Cc: Thomas Skinner
Signed-off-by: Thomas Skinner <thomas@atskinner.net>
---
PVE/Service/pveproxy.pm | 2 ++
1 file changed, 2 insertions(+)
diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index ac108545..df3601bd 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -115,6 +115,8 @@ sub init {
honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER},
},
compression => $proxyconf->{COMPRESSION},
+ proxy_real_ip_header => $proxyconf->{PROXY_REAL_IP_HEADER},
+ proxy_real_ip_allow_from => $proxyconf->{PROXY_REAL_IP_ALLOW_FROM},
# Note: there is no authentication for those pages and dirs!
pages => {
'/' => sub { get_index($self->{nodename}, @_) },
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pve-devel] applied-series: [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP
2024-12-12 3:27 [pve-devel] [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP Thomas Skinner
` (2 preceding siblings ...)
2024-12-12 3:27 ` [pve-devel] [PATCH manager v2 3/3] fix #5699: pveproxy: add settings " Thomas Skinner
@ 2025-01-24 8:53 ` Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2025-01-24 8:53 UTC (permalink / raw)
To: Proxmox VE development discussion; +Cc: Thomas Skinner
thanks!
On December 12, 2024 4:27 am, Thomas Skinner wrote:
> This v2 patch series continues adding support for setting a HTTP header for passing through a client IP
> address for logging purposes.
>
> Changes since v1:
> * fixed styling issues
> * renamed fields to clearer, more appropriate names
> * adjusted logging format back to previous, made option opt-in
>
>
> pve-docs:
>
> Thomas Skinner (1):
> fix #5699: pveproxy: add docs for real IP support
>
> pveproxy.adoc | 29 +++++++++++++++++++++++++++++
> 1 file changed, 29 insertions(+)
>
>
> pve-http-server:
>
> Thomas Skinner (1):
> fix #5699: pveproxy: add library methods for real IP support
>
> src/PVE/APIServer/AnyEvent.pm | 38 ++++++++++++++++++++++++++++++++++-
> src/PVE/APIServer/Utils.pm | 15 ++++++++++++++
> 2 files changed, 52 insertions(+), 1 deletion(-)
>
>
> pve-manager:
>
> Thomas Skinner (1):
> fix #5699: pveproxy: add settings for real IP support
>
> PVE/Service/pveproxy.pm | 2 ++
> 1 file changed, 2 insertions(+)
>
> --
> 2.39.5
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-01-24 8:54 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-12-12 3:27 [pve-devel] [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP Thomas Skinner
2024-12-12 3:27 ` [pve-devel] [PATCH docs v2 1/3] fix #5699: pveproxy: add docs for real IP support Thomas Skinner
2024-12-12 3:27 ` [pve-devel] [PATCH http-server v2 2/3] fix #5699: pveproxy: add library methods " Thomas Skinner
2024-12-12 3:27 ` [pve-devel] [PATCH manager v2 3/3] fix #5699: pveproxy: add settings " Thomas Skinner
2025-01-24 8:53 ` [pve-devel] applied-series: [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP Fabian Grünbichler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.