From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 4B37D1FF191
	for <inbox@lore.proxmox.com>; Tue, 21 Oct 2025 12:03:51 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 287A61A74D;
	Tue, 21 Oct 2025 12:04:09 +0200 (CEST)
From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Tue, 21 Oct 2025 12:03:25 +0200
Message-ID: <20251021100332.251697-2-m.sandoval@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20251021100332.251697-1-m.sandoval@proxmox.com>
References: <20251021100332.251697-1-m.sandoval@proxmox.com>
MIME-Version: 1.0
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1761041006557
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.096 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
 Validity was blocked. See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [datacenterconfig.pm]
Subject: [pve-devel] [PATCH cluster 1/3] datacenter config: add setting for
 HTTP{, S} proxies
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pve-devel-bounces@lists.proxmox.com
Sender: "pve-devel" <pve-devel-bounces@lists.proxmox.com>

Adds a 'proxy' setting which is meant to replace 'http_proxy'. This new
setting allows to specify different HTTP and HTTPS proxies for different
pieces of the stack.

In the UI each option would set both the HTTP and HTTPS proxies together
to the same value to avoid configuration mistakes, e.g. if only one
proxy is set.

The use-case this option intends to cover is a proxy which allows to
proxy HTTP(S) requests to the outside but will reject any connection to
resources which are already in the internal network, for this cases the
'none' option would declare that no proxy should be used.

The {proxy}->{global} default key of the property string acts as a
drop-in replacement for the {http_proxy} setting. However, we document
that this will be used both as a HTTP and a HTTPS proxy which was not
done always for the 'http_proxy' setting.

Individual proxy configurations accept a 'none' value that allows to say
that no proxy should be used for this use-case, this takes precedence
over both the new global proxy and the 'http_proxy'.

Subscriptions only need HTTPS proxies and thus we do not offer the
option to setup a HTTP proxy here.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 src/PVE/DataCenterConfig.pm | 60 +++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/src/PVE/DataCenterConfig.pm b/src/PVE/DataCenterConfig.pm
index c6d56c1..57c5c1c 100644
--- a/src/PVE/DataCenterConfig.pm
+++ b/src/PVE/DataCenterConfig.pm
@@ -120,6 +120,52 @@ my $notification_format = {
     },
 };
 
+my $proxy_format = {
+    'global' => {
+        default_key => 1,
+        optional => 1,
+        type => 'string',
+        description => "Proxy used as a fallback. It will be used when the respective component does not have a proxy defined. Will be used both as a HTTP and HTTPS proxies.",
+        pattern => "http://.*",
+        format_description => 'URL',
+    },
+    'http-download' => {
+        optional => 1,
+        type => 'string',
+        description => "HTTP proxy used for downloading ISOs and container templates. When set to 'none' no proxy will be used.",
+        pattern => "(http://.*|none)",
+        format_description => 'URL',
+    },
+    'https-download' => {
+        optional => 1,
+        description => "HTTPS proxy used for downloading ISOs and container templates. When set to 'none' no proxy will be used.",
+        type => 'string',
+        pattern => "(http://.*|none)",
+        format_description => 'URL',
+    },
+    'https-subscription' => {
+        optional => 1,
+        description => "HTTPS proxy used for subscription related tasks. When set to 'none' no proxy will be used.",
+        type => 'string',
+        pattern => "(http://.*|none)",
+        format_description => 'URL',
+    },
+    'http-apt' => {
+        optional => 1,
+        description => "HTTP proxy used for APT. When set to 'none' no proxy will be used.",
+        type => 'string',
+        pattern => "(http://.*|none)",
+        format_description => 'URL',
+    },
+    'https-apt' => {
+        optional => 1,
+        description => "HTTPS proxy used for APT. When set to 'none' no proxy will be used.",
+        type => 'string',
+        pattern => "(http://.*|none)",
+        format_description => 'URL',
+    },
+};
+
 register_standard_option(
     'pve-ha-shutdown-policy',
     {
@@ -352,6 +398,12 @@ my $datacenter_schema = {
                 "Specify external http proxy which is used for downloads (example: 'http://username:password\@host:port/')",
             pattern => "http://.*",
         },
+        proxy => {
+            optional => 1,
+            type => 'string',
+            description => "Settings for declaring HTTP and HTTPS proxies for individual components. When a specific proxy is not specied 'http_proxy' will be used instead.",
+            format => $proxy_format,
+        },
         # FIXME: remove with 8.0 (add check to pve7to8!), merged into "migration" since 4.3
         migration_unsecure => {
             optional => 1,
@@ -536,6 +588,10 @@ sub parse_datacenter_config {
         $res->{replication} = parse_property_string($replication_format, $replication);
     }
 
+    if (my $proxy = $res->{proxy}) {
+        $res->{proxy} = parse_property_string($proxy_format, $proxy);
+    }
+
     if (my $next_id = $res->{'next-id'}) {
         $res->{'next-id'} = parse_property_string($next_id_format, $next_id);
     }
@@ -619,6 +675,10 @@ sub write_datacenter_config {
         $cfg->{replication} = PVE::JSONSchema::print_property_string($replication, $replication_format);
     }
 
+    if (ref(my $proxy = $cfg->{proxy})) {
+        $cfg->{proxy} = PVE::JSONSchema::print_property_string($proxy, $proxy_format);
+    }
+
     if (defined(my $next_id = $cfg->{'next-id'})) {
         $next_id = parse_property_string($next_id_format, $next_id) if !ref($next_id);
 
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel