* [pbs-devel] [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-11 11:39 Hannes Laimer
2022-01-11 11:39 ` [pbs-devel] [PATCH proxmox-backup v4 1/3] config: add tls ciphers to NodeConfig Hannes Laimer
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Hannes Laimer @ 2022-01-11 11:39 UTC (permalink / raw)
To: pbs-devel
Cannot be configured in the WebUI, only through proxmox-backup-manager,
api or in the config file directly(not recommended). For changes to take
effect the proxy has to be restarted.
Since the string can be rather long and I assume most of the time the
defaults are used, it is not in the WebUI.
v2:
- allow setting for TLSv1.3 and TLS <= 1.2 individually
v3:
- add proper regex
v4:
- renaming variables
Hannes Laimer (3):
config: add tls ciphers to NodeConfig
proxy: use ciphers from config if set
api2: make tls ciphers updatable
pbs-api-types/src/lib.rs | 41 +++++++++++++++++++++++++++++++++
src/api2/node/config.rs | 8 +++++++
src/bin/proxmox-backup-proxy.rs | 10 ++++++++
src/config/node.rs | 26 ++++++++++++++++++++-
4 files changed, 84 insertions(+), 1 deletion(-)
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] [PATCH proxmox-backup v4 1/3] config: add tls ciphers to NodeConfig
2022-01-11 11:39 [pbs-devel] [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
@ 2022-01-11 11:39 ` Hannes Laimer
2022-01-11 11:39 ` [pbs-devel] [PATCH proxmox-backup v4 2/3] proxy: use ciphers from config if set Hannes Laimer
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Hannes Laimer @ 2022-01-11 11:39 UTC (permalink / raw)
To: pbs-devel
for TLS 1.3 and for TLS <= 1.2
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
pbs-api-types/src/lib.rs | 41 ++++++++++++++++++++++++++++++++++++++++
src/config/node.rs | 26 ++++++++++++++++++++++++-
2 files changed, 66 insertions(+), 1 deletion(-)
diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 0a0dd33d..4673fc3b 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -100,6 +100,20 @@ mod local_macros {
macro_rules! DNS_ALIAS_NAME {
() => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
}
+ macro_rules! OPENSSL_CIPHERSUITE_RE {
+ () => (
+ r"TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256"
+ )
+ }
+ macro_rules! OPENSSL_CIPHER_STRING_RE {
+ () => (concat!(
+ r"([!\-+]?(COMPLEMENTOFDEFAULT|ALL|COMPLEMENTOFALL|HIGH|MEDIUM|LOW|[ae]?NULL|[ka]?RSA|",
+ "kDH[rdE]?|kEDH|DHE?|EDH|ADH|kEECDH|kECDHE|ECDH|ECDHE|EECDH|AECDH|a?DSS|aDH|a?ECDSA|",
+ "SSLv3|AES(128|256)?|GCM|AESGCM|AESCCM|AESCCM8|ARIA(128|256)?|CAMELLIA(128|256)?|",
+ "CHACHA20|3?DES|RC[24]|IDEA|SEED|MD5|SHA(1|256|384)?|aGOST(01)?|kGOST|GOST94|GOST89MAC|",
+ "[ak]?PSK|kECDHEPSK|kDHEPSK|kRSAPSK|SUITEB(128|128ONLY|192)?|CBC3?|POLY1305))+"
+ ))
+ }
}
const_regex! {
@@ -124,6 +138,22 @@ const_regex! {
pub FINGERPRINT_SHA256_REGEX = r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9a-fA-F][0-9a-fA-F]){31}$";
+ pub OPENSSL_CIPHERS_TLS_1_2_REGEX = concat!(
+ r"^((",
+ OPENSSL_CIPHER_STRING_RE!(),
+ ")([: ,](",
+ OPENSSL_CIPHER_STRING_RE!(),
+ "))*)$"
+ );
+
+ pub OPENSSL_CIPHERS_TLS_1_3_REGEX = concat!(
+ r"^((",
+ OPENSSL_CIPHERSUITE_RE!(),
+ ")(:(",
+ OPENSSL_CIPHERSUITE_RE!(),
+ "))*)$"
+ );
+
/// Regex for safe identifiers.
///
/// This
@@ -160,6 +190,9 @@ pub const BLOCKDEVICE_NAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&B
pub const SUBSCRIPTION_KEY_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SUBSCRIPTION_KEY_REGEX);
pub const SYSTEMD_DATETIME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SYSTEMD_DATETIME_REGEX);
pub const HOSTNAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&HOSTNAME_REGEX);
+pub const OPENSSL_CIPHERS_TLS_1_2_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_2_REGEX);
+pub const OPENSSL_CIPHERS_TLS_1_3_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_3_REGEX);
+
pub const DNS_ALIAS_FORMAT: ApiStringFormat =
ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
@@ -189,6 +222,14 @@ pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in R
.format(&HOSTNAME_FORMAT)
.schema();
+pub const OPENSSL_CIPHERS_TLS_1_2_SCHEMA: Schema = StringSchema::new("OpenSSL cipher string list used by the proxy for TLS <= 1.2")
+ .format(&OPENSSL_CIPHERS_TLS_1_2_FORMAT)
+ .schema();
+
+pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema = StringSchema::new("OpenSSL ciphersuites list used by the proxy for TLSv1.3")
+ .format(&OPENSSL_CIPHERS_TLS_1_3_FORMAT)
+ .schema();
+
pub const DNS_NAME_FORMAT: ApiStringFormat =
ApiStringFormat::Pattern(&DNS_NAME_REGEX);
diff --git a/src/config/node.rs b/src/config/node.rs
index 4f2ab029..3f7adb1a 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -1,5 +1,6 @@
use std::collections::HashSet;
+use openssl::ssl::{SslAcceptor, SslMethod};
use anyhow::{bail, Error};
use serde::{Deserialize, Serialize};
@@ -7,7 +8,7 @@ use proxmox_schema::{api, ApiStringFormat, ApiType, Updater};
use proxmox_http::ProxyConfig;
-use pbs_api_types::EMAIL_SCHEMA;
+use pbs_api_types::{EMAIL_SCHEMA, OPENSSL_CIPHERS_TLS_1_2_SCHEMA, OPENSSL_CIPHERS_TLS_1_3_SCHEMA};
use pbs_buildcfg::configdir;
use pbs_config::{open_backup_lockfile, BackupLockGuard};
@@ -91,6 +92,14 @@ pub struct AcmeConfig {
schema: EMAIL_SCHEMA,
optional: true,
},
+ "ciphers-tls13": {
+ schema: OPENSSL_CIPHERS_TLS_1_3_SCHEMA,
+ optional: true,
+ },
+ "ciphers-tls12": {
+ schema: OPENSSL_CIPHERS_TLS_1_2_SCHEMA,
+ optional: true,
+ },
},
)]
#[derive(Deserialize, Serialize, Updater)]
@@ -121,6 +130,14 @@ pub struct NodeConfig {
#[serde(skip_serializing_if = "Option::is_none")]
pub email_from: Option<String>,
+
+ /// List of SSL ciphers for tls 1.3 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub ciphers_tls13: Option<String>,
+
+ /// List of SSL ciphers for tls <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub ciphers_tls12: Option<String>,
}
impl NodeConfig {
@@ -172,6 +189,13 @@ impl NodeConfig {
bail!("duplicate domain '{}' in ACME config", domain.domain);
}
}
+ let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+ if let Some(ciphers) = self.ciphers_tls13.as_deref() {
+ dummy_acceptor.set_ciphersuites(ciphers)?;
+ }
+ if let Some(ciphers) = self.ciphers_tls12.as_deref() {
+ dummy_acceptor.set_cipher_list(ciphers)?;
+ }
Ok(())
}
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] [PATCH proxmox-backup v4 2/3] proxy: use ciphers from config if set
2022-01-11 11:39 [pbs-devel] [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
2022-01-11 11:39 ` [pbs-devel] [PATCH proxmox-backup v4 1/3] config: add tls ciphers to NodeConfig Hannes Laimer
@ 2022-01-11 11:39 ` Hannes Laimer
2022-01-11 11:39 ` [pbs-devel] [PATCH proxmox-backup v4 3/3] api2: make tls ciphers updatable Hannes Laimer
2022-01-14 10:30 ` [pbs-devel] applied-series: [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Hannes Laimer @ 2022-01-11 11:39 UTC (permalink / raw)
To: pbs-devel
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/bin/proxmox-backup-proxy.rs | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index 903dd9bc..909a4b41 100644
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -342,7 +342,17 @@ fn make_tls_acceptor() -> Result<SslAcceptor, Error> {
let key_path = configdir!("/proxy.key");
let cert_path = configdir!("/proxy.pem");
+ let (config, _) = proxmox_backup::config::node::config()?;
+ let ciphers_tls13 = config.ciphers_tls13;
+ let ciphers_tls12 = config.ciphers_tls12;
+
let mut acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+ if let Some(ciphers) = ciphers_tls13.as_deref() {
+ acceptor.set_ciphersuites(ciphers)?;
+ }
+ if let Some(ciphers) = ciphers_tls12.as_deref() {
+ acceptor.set_cipher_list(ciphers)?;
+ }
acceptor.set_private_key_file(key_path, SslFiletype::PEM)
.map_err(|err| format_err!("unable to read proxy key {} - {}", key_path, err))?;
acceptor.set_certificate_chain_file(cert_path)
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] [PATCH proxmox-backup v4 3/3] api2: make tls ciphers updatable
2022-01-11 11:39 [pbs-devel] [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
2022-01-11 11:39 ` [pbs-devel] [PATCH proxmox-backup v4 1/3] config: add tls ciphers to NodeConfig Hannes Laimer
2022-01-11 11:39 ` [pbs-devel] [PATCH proxmox-backup v4 2/3] proxy: use ciphers from config if set Hannes Laimer
@ 2022-01-11 11:39 ` Hannes Laimer
2022-01-14 10:30 ` [pbs-devel] applied-series: [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Hannes Laimer @ 2022-01-11 11:39 UTC (permalink / raw)
To: pbs-devel
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/api2/node/config.rs | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/api2/node/config.rs b/src/api2/node/config.rs
index 3f060981..3eb1da12 100644
--- a/src/api2/node/config.rs
+++ b/src/api2/node/config.rs
@@ -56,6 +56,10 @@ pub enum DeletableProperty {
http_proxy,
/// Delete the email-from property.
email_from,
+ /// Delete the ciphers-tls13 property.
+ ciphers_tls13,
+ /// Delete the ciphers-tls12 property.
+ ciphers_tls12,
}
#[api(
@@ -113,6 +117,8 @@ pub fn update_node_config(
DeletableProperty::acmedomain4 => { config.acmedomain4 = None; },
DeletableProperty::http_proxy => { config.http_proxy = None; },
DeletableProperty::email_from => { config.email_from = None; },
+ DeletableProperty::ciphers_tls13 => { config.ciphers_tls13 = None; },
+ DeletableProperty::ciphers_tls12 => { config.ciphers_tls12 = None; },
}
}
}
@@ -125,6 +131,8 @@ pub fn update_node_config(
if update.acmedomain4.is_some() { config.acmedomain4 = update.acmedomain4; }
if update.http_proxy.is_some() { config.http_proxy = update.http_proxy; }
if update.email_from.is_some() { config.email_from = update.email_from; }
+ if update.ciphers_tls13.is_some() { config.ciphers_tls13 = update.ciphers_tls13; }
+ if update.ciphers_tls12.is_some() { config.ciphers_tls12 = update.ciphers_tls12; }
crate::config::node::save_config(&config)?;
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] applied-series: [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy
2022-01-11 11:39 [pbs-devel] [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
` (2 preceding siblings ...)
2022-01-11 11:39 ` [pbs-devel] [PATCH proxmox-backup v4 3/3] api2: make tls ciphers updatable Hannes Laimer
@ 2022-01-14 10:30 ` Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2022-01-14 10:30 UTC (permalink / raw)
To: Proxmox Backup Server development discussion
with following follow-up, and renaming tls12/tls13 to tls-1.2/tls-1.3
(parameters/config keys) and tls_1_2/tls_1_3 (variable/field names).
commit 1d552d2dd51ed7f23b492160b4c0c3a425fdfd68
Author: Fabian Grünbichler <f.gruenbichler@proxmox.com>
AuthorDate: Thu Jan 13 10:16:15 2022 +0100
Commit: Fabian Grünbichler <f.gruenbichler@proxmox.com>
CommitDate: Fri Jan 14 11:02:07 2022 +0100
ciphers: simplify API schema
these need to be checked (and are) via libssl anyway before persisting,
and newer versions might contain new ciphers/variants/... (and things
like @STRENGTH or @SECLEVEL=n were missing).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 4ef8eea1..754e7b22 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -99,20 +99,6 @@ mod local_macros {
macro_rules! DNS_ALIAS_NAME {
() => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
}
- macro_rules! OPENSSL_CIPHERSUITE_RE {
- () => (
- r"TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256"
- )
- }
- macro_rules! OPENSSL_CIPHER_STRING_RE {
- () => (concat!(
- r"([!\-+]?(COMPLEMENTOFDEFAULT|ALL|COMPLEMENTOFALL|HIGH|MEDIUM|LOW|[ae]?NULL|[ka]?RSA|",
- "kDH[rdE]?|kEDH|DHE?|EDH|ADH|kEECDH|kECDHE|ECDH|ECDHE|EECDH|AECDH|a?DSS|aDH|a?ECDSA|",
- "SSLv3|AES(128|256)?|GCM|AESGCM|AESCCM|AESCCM8|ARIA(128|256)?|CAMELLIA(128|256)?|",
- "CHACHA20|3?DES|RC[24]|IDEA|SEED|MD5|SHA(1|256|384)?|aGOST(01)?|kGOST|GOST94|GOST89MAC|",
- "[ak]?PSK|kECDHEPSK|kDHEPSK|kRSAPSK|SUITEB(128|128ONLY|192)?|CBC3?|POLY1305))+"
- ))
- }
}
const_regex! {
@@ -137,21 +123,8 @@ const_regex! {
pub FINGERPRINT_SHA256_REGEX = r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9a-fA-F][0-9a-fA-F]){31}$";
- pub OPENSSL_CIPHERS_TLS_1_2_REGEX = concat!(
- r"^((",
- OPENSSL_CIPHER_STRING_RE!(),
- ")([: ,](",
- OPENSSL_CIPHER_STRING_RE!(),
- "))*)$"
- );
-
- pub OPENSSL_CIPHERS_TLS_1_3_REGEX = concat!(
- r"^((",
- OPENSSL_CIPHERSUITE_RE!(),
- ")(:(",
- OPENSSL_CIPHERSUITE_RE!(),
- "))*)$"
- );
+ // just a rough check - dummy acceptor is used before persisting
+ pub OPENSSL_CIPHERS_REGEX = r"^[0-9A-Za-z_:, +!\-@=.]+$";
/// Regex for safe identifiers.
///
@@ -189,9 +162,7 @@ pub const BLOCKDEVICE_NAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&B
pub const SUBSCRIPTION_KEY_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SUBSCRIPTION_KEY_REGEX);
pub const SYSTEMD_DATETIME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SYSTEMD_DATETIME_REGEX);
pub const HOSTNAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&HOSTNAME_REGEX);
-pub const OPENSSL_CIPHERS_TLS_1_2_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_2_REGEX);
-pub const OPENSSL_CIPHERS_TLS_1_3_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_3_REGEX);
-
+pub const OPENSSL_CIPHERS_TLS_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_REGEX);
pub const DNS_ALIAS_FORMAT: ApiStringFormat =
ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
@@ -221,12 +192,12 @@ pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in R
.format(&HOSTNAME_FORMAT)
.schema();
-pub const OPENSSL_CIPHERS_TLS_1_2_SCHEMA: Schema = StringSchema::new("OpenSSL cipher string list used by the proxy for TLS <= 1.2")
- .format(&OPENSSL_CIPHERS_TLS_1_2_FORMAT)
+pub const OPENSSL_CIPHERS_TLS_1_2_SCHEMA: Schema = StringSchema::new("OpenSSL cipher list used by the proxy for TLS <= 1.2")
+ .format(&OPENSSL_CIPHERS_TLS_FORMAT)
.schema();
-pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema = StringSchema::new("OpenSSL ciphersuites list used by the proxy for TLSv1.3")
- .format(&OPENSSL_CIPHERS_TLS_1_3_FORMAT)
+pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema = StringSchema::new("OpenSSL ciphersuites list used by the proxy for TLS 1.3")
+ .format(&OPENSSL_CIPHERS_TLS_FORMAT)
.schema();
pub const DNS_NAME_FORMAT: ApiStringFormat =
On January 11, 2022 12:39 pm, Hannes Laimer wrote:
> Cannot be configured in the WebUI, only through proxmox-backup-manager,
> api or in the config file directly(not recommended). For changes to take
> effect the proxy has to be restarted.
>
> Since the string can be rather long and I assume most of the time the
> defaults are used, it is not in the WebUI.
>
> v2:
> - allow setting for TLSv1.3 and TLS <= 1.2 individually
>
> v3:
> - add proper regex
>
> v4:
> - renaming variables
>
> Hannes Laimer (3):
> config: add tls ciphers to NodeConfig
> proxy: use ciphers from config if set
> api2: make tls ciphers updatable
>
> pbs-api-types/src/lib.rs | 41 +++++++++++++++++++++++++++++++++
> src/api2/node/config.rs | 8 +++++++
> src/bin/proxmox-backup-proxy.rs | 10 ++++++++
> src/config/node.rs | 26 ++++++++++++++++++++-
> 4 files changed, 84 insertions(+), 1 deletion(-)
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-01-14 10:30 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-11 11:39 [pbs-devel] [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
2022-01-11 11:39 ` [pbs-devel] [PATCH proxmox-backup v4 1/3] config: add tls ciphers to NodeConfig Hannes Laimer
2022-01-11 11:39 ` [pbs-devel] [PATCH proxmox-backup v4 2/3] proxy: use ciphers from config if set Hannes Laimer
2022-01-11 11:39 ` [pbs-devel] [PATCH proxmox-backup v4 3/3] api2: make tls ciphers updatable Hannes Laimer
2022-01-14 10:30 ` [pbs-devel] applied-series: [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy Fabian Grünbichler
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.