* [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy
@ 2021-02-10 16:01 Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 1/2 http-server] utils: add BIND_IP option in /etc/default/pveproxy Oguz Bektas
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Oguz Bektas @ 2021-02-10 16:01 UTC (permalink / raw)
To: pve-devel
maybe a simple approach like this is okay?
can also be called "LISTEN_IP" or similar
pve-manager:
Oguz Bektas (1):
proxy: allow setting BIND_IP for pveproxy
PVE/Service/pveproxy.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
pve-http-server:
Oguz Bektas (1):
utils: add BIND_IP option in /etc/default/pveproxy
PVE/APIServer/Utils.pm | 3 +++
1 file changed, 3 insertions(+)
--
2.20.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [RFC 1/2 http-server] utils: add BIND_IP option in /etc/default/pveproxy
2021-02-10 16:01 [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Oguz Bektas
@ 2021-02-10 16:01 ` Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy Oguz Bektas
2021-02-10 17:02 ` [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Thomas Lamprecht
2 siblings, 0 replies; 6+ messages in thread
From: Oguz Bektas @ 2021-02-10 16:01 UTC (permalink / raw)
To: pve-devel
to allow setting arbitrary IP address to listen on
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
PVE/APIServer/Utils.pm | 3 +++
1 file changed, 3 insertions(+)
diff --git a/PVE/APIServer/Utils.pm b/PVE/APIServer/Utils.pm
index e843e5f..94bacb8 100644
--- a/PVE/APIServer/Utils.pm
+++ b/PVE/APIServer/Utils.pm
@@ -14,6 +14,7 @@ sub read_proxy_config {
# Note: evaluate with bash
my $shcmd = ". $conffile;\n";
+ $shcmd .= 'echo \"BIND_IP:\$BIND_IP\";';
$shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
$shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
$shcmd .= 'echo \"POLICY:\$POLICY\";';
@@ -36,6 +37,8 @@ sub read_proxy_config {
push @$ips, Net::IP->new($ip) || die Net::IP::Error() . "\n";
}
$res->{$key} = $ips;
+ } elsif ($key eq 'BIND_IP') {
+ $res->{$key} = $value;
} elsif ($key eq 'POLICY') {
die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
$res->{$key} = $value;
--
2.20.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy
2021-02-10 16:01 [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 1/2 http-server] utils: add BIND_IP option in /etc/default/pveproxy Oguz Bektas
@ 2021-02-10 16:01 ` Oguz Bektas
2021-02-10 16:20 ` Stoiko Ivanov
2021-02-10 17:02 ` [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Thomas Lamprecht
2 siblings, 1 reply; 6+ messages in thread
From: Oguz Bektas @ 2021-02-10 16:01 UTC (permalink / raw)
To: pve-devel
default to 0.0.0.0 to preserve backwards behavior
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
PVE/Service/pveproxy.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index 571a6bf5..ce1d42a6 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -70,7 +70,8 @@ sub init {
die "unable to open lock file '${accept_lock_fn}' - $!\n";
my $family = PVE::Tools::get_host_address_family($self->{nodename});
- my $socket = $self->create_reusable_socket(8006, undef, $family);
+ my $bind_ip = $proxyconf->{BIND_IP} // '0.0.0.0'; # default
+ my $socket = $self->create_reusable_socket(8006, $bind_ip, $family);
my $dirs = {};
--
2.20.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy
2021-02-10 16:01 ` [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy Oguz Bektas
@ 2021-02-10 16:20 ` Stoiko Ivanov
2021-02-15 10:00 ` Oguz Bektas
0 siblings, 1 reply; 6+ messages in thread
From: Stoiko Ivanov @ 2021-02-10 16:20 UTC (permalink / raw)
To: Oguz Bektas; +Cc: Proxmox VE development discussion
Thanks for looking into this!
On Wed, 10 Feb 2021 17:01:42 +0100
Oguz Bektas <o.bektas@proxmox.com> wrote:
> default to 0.0.0.0 to preserve backwards behavior
>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> PVE/Service/pveproxy.pm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> index 571a6bf5..ce1d42a6 100755
> --- a/PVE/Service/pveproxy.pm
> +++ b/PVE/Service/pveproxy.pm
> @@ -70,7 +70,8 @@ sub init {
> die "unable to open lock file '${accept_lock_fn}' - $!\n";
>
> my $family = PVE::Tools::get_host_address_family($self->{nodename});
> - my $socket = $self->create_reusable_socket(8006, undef, $family);
> + my $bind_ip = $proxyconf->{BIND_IP} // '0.0.0.0'; # default
any reason why the '0.0.0.0' is necessary? (the socket got created with
undef before after all) - Given that I find the inner workings of perl
IO::Socket::IP (which gets passed the arguments in create_reusable_socket
eventually) a bit surprising in certain situations I think leaving it as
it was might have its merit
did you test it in a few different scenarios? - e.g.:
* ipv6 only host
* dual-stacked host
* host with multiple interfaces and IPs
> + my $socket = $self->create_reusable_socket(8006, $bind_ip, $family);
>
> my $dirs = {};
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy
2021-02-10 16:01 [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 1/2 http-server] utils: add BIND_IP option in /etc/default/pveproxy Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy Oguz Bektas
@ 2021-02-10 17:02 ` Thomas Lamprecht
2 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2021-02-10 17:02 UTC (permalink / raw)
To: Proxmox VE development discussion, Oguz Bektas
On 10.02.21 17:01, Oguz Bektas wrote:
> maybe a simple approach like this is okay?
>
I'd rather go the way PBS does, just listen on really all by default.
PVE often uses multiple networks where the proxy needs to be able on more
than one, a single settign may not cut it in all setups.
It's simpler to just always listen on all and let admins restrict with FW
where required.
> can also be called "LISTEN_IP" or similar
>
> pve-manager:
>
> Oguz Bektas (1):
> proxy: allow setting BIND_IP for pveproxy
>
> PVE/Service/pveproxy.pm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>
> pve-http-server:
>
> Oguz Bektas (1):
> utils: add BIND_IP option in /etc/default/pveproxy
>
> PVE/APIServer/Utils.pm | 3 +++
> 1 file changed, 3 insertions(+)
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy
2021-02-10 16:20 ` Stoiko Ivanov
@ 2021-02-15 10:00 ` Oguz Bektas
0 siblings, 0 replies; 6+ messages in thread
From: Oguz Bektas @ 2021-02-15 10:00 UTC (permalink / raw)
To: Stoiko Ivanov; +Cc: Proxmox VE development discussion
hi,
thanks for responding!
On Wed, Feb 10, 2021 at 05:20:59PM +0100, Stoiko Ivanov wrote:
> Thanks for looking into this!
>
> On Wed, 10 Feb 2021 17:01:42 +0100
> Oguz Bektas <o.bektas@proxmox.com> wrote:
>
> > default to 0.0.0.0 to preserve backwards behavior
> >
> > Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> > ---
> > PVE/Service/pveproxy.pm | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> > index 571a6bf5..ce1d42a6 100755
> > --- a/PVE/Service/pveproxy.pm
> > +++ b/PVE/Service/pveproxy.pm
> > @@ -70,7 +70,8 @@ sub init {
> > die "unable to open lock file '${accept_lock_fn}' - $!\n";
> >
> > my $family = PVE::Tools::get_host_address_family($self->{nodename});
> > - my $socket = $self->create_reusable_socket(8006, undef, $family);
> > + my $bind_ip = $proxyconf->{BIND_IP} // '0.0.0.0'; # default
> any reason why the '0.0.0.0' is necessary? (the socket got created with
> undef before after all) - Given that I find the inner workings of perl
> IO::Socket::IP (which gets passed the arguments in create_reusable_socket
> eventually) a bit surprising in certain situations I think leaving it as
> it was might have its merit
after looking at it more it looks like `undef` might be better indeed.
>
> did you test it in a few different scenarios? - e.g.:
> * ipv6 only host
> * dual-stacked host
> * host with multiple interfaces and IPs
no, i've only tested ipv4 -- i'll take a look at these too
>
> > + my $socket = $self->create_reusable_socket(8006, $bind_ip, $family);
> >
> > my $dirs = {};
> >
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-02-15 10:02 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-10 16:01 [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 1/2 http-server] utils: add BIND_IP option in /etc/default/pveproxy Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy Oguz Bektas
2021-02-10 16:20 ` Stoiko Ivanov
2021-02-15 10:00 ` Oguz Bektas
2021-02-10 17:02 ` [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal