Re: [pve-devel] [PATCH common/manager/http-server/docs] improve binding, docs and access-control for pveproxy/spiceproxy

[Oguz Bektas <o.bektas@proxmox.com>]

hi,

> > tested the following to verify:
> >> I tested it in the following scenarios:
> >> * ipv6 disabled via kernel commandline (listen on 0.0.0.0)
> >> * ipv6 disabled via sysctl (listen on 0.0.0.0)
> >> * no settings dual-stacked (listen on *)
> >> * no settings v6 only (listen on *)
> >>
> > and tested some scenarios also with ALLOW_FROM and LISTEN_IP.
> 
> Please list what scenarios you actually tested, else a T-b tag is not really
> telling... I mean, you said you tested the patches you send too, but obv. not in
> IPv6 disable setups, so having the actual list of things here can really help.
> 
> If unsure, check out how Dominic reports such things, those are always good,
> concise but not leaving out interesting (test scenario/setup) details.
> 
> For example,
> https://lists.proxmox.com/pipermail/pve-devel/2021-March/047375.html
> https://lists.proxmox.com/pipermail/pve-devel/2021-April/047827.html
> 


i tested the /etc/default/pveproxy combined with the previously
mentioned scenarios and the following settings:


----
ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"
----
----
LISTEN_IP="pve-dev-machine.proxmox.com"
ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"
----

1.2.3.4 here is my workstation IP
----
LISTEN_IP="pve-dev-machine.proxmox.com"
ALLOW_FROM="1.2.3.4"
DENY_FROM="all"
POLICY="allow"
----

----
ALLOW_FROM="1.2.3.4"
DENY_FROM="all"
POLICY="allow"
----

to check i used:
$ systemctl restart pvedaemon pveproxy spiceproxy
$ ss -antlp | grep -E '(8006|3128)'

and the result match for the scenarios that stoiko mentioned.

to test ACLs from my workstation i used curl.

> > 
> > it's also worth noting that disabling ipv6 in the commandline will
> > change the access.log format to show the standard IPv4 address instead
> > of the mapped v6 address.
> 
> good note, could have been used in the new "Disabling IPv6 on the Node" docs
> section Stoiko adds.
> 
> Updating https://pve.proxmox.com/wiki/Fail2ban could help too, or did you
> already check if mapped notation works there too just fine with the config
> proposal from the wiki?


for fail2ban i followed the wiki steps, the configuration works also for
the v4 to v6 mapped addresses:

$ grep 'authentication failure' /var/log/daemon.log
May  5 11:17:08 pve-dev-machine pvedaemon[4120]: authentication failure;
rhost=1.2.3.4 user=root@pam msg=Authentication failure
May  5 11:19:08 pve-dev-machine pvedaemon[1831]: authentication failure;
rhost=::ffff:1.2.3.4 user=root@pam msg=Authentication failure

$ fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
...
Results
=======

Failregex: 2 total
|-  #) [# of hits] regular expression
|   1) [2] pvedaemon\[.*authentication failure; rhost=<HOST> user=.*
msg=.*
`-


all seems to work with both (dual stack) ipv6 and v4-only setups
(disabled via kernel cmdline and/or sysctl), i will update the fail2ban
page to mention the last test was with 6.4

cheers,
oguz