[pve-devel] [RFC cluster/manager/storage 0/7] datacenter config: add setting for HTTP{, S} proxies

[pve-devel] [RFC cluster/manager/storage 0/7] datacenter config: add setting for HTTP{, S} proxies

[Maximiliano Sandoval]

Most of the relevant information is in the first commit.

The intention is to have an extensible and future-proof setting where different
proxies can be selected based on the connection protocol and the use-case. In a
follow-up this will be exposed in the web UI, ideally leaving most of this
complexity out, i.e. only showing the option to set up a global proxy
(HTTP+HTTPS) and allow configuring overrides for each use-case but setting both
HTTP+HTTPS simultaneously to the same value. If finer granularity (different
proxies for HTTP and HTTPS) is required then the configuration file can be
edited manually.

In follow ups the the following will be done:

 - Add more proxy overrides, e.g. for OpenID
 - Expose it in the web UI


## Testing

On a Proxmox VE host this could be tested, for example, by configuring a proxy
(e.g. squid [1]) at 10.10.10.138 and accepting 'out' traffic to the gateway
(10.10.10.1) and the proxy and dropping all traffic to ports 80 and 443.

```
$ cat /etc/pve/firewall/cluster.fw
[OPTIONS]

enable: 1

[RULES]

OUT ACCEPT -dest 10.10.10.138 -log nolog
OUT ACCEPT -dest 10.10.10.1 -log nolog
OUT DROP -p tcp -dport 443 -log nolog
OUT DROP -p tcp -dport 80 -log nolog
```

Then the config can be set via:

    pvesh set /cluster/options --proxy=http://10.10.10.139:3128,https-subscription=http://10.10.10.138:3128,http-download=none

and then, for example, one can check if the following call runs or not into a
timeout to see if the proxy is used:

    pvesubscription set $KEY

[1] https://www.squid-cache.org/

pve-cluster:

Maximiliano Sandoval (3):
  datacenter config: add setting for HTTP{,S} proxies
  datacenter config: deprecate http_proxy
  cluster: add helper to retrieve proxies

 src/PVE/Cluster.pm          | 58 +++++++++++++++++++++++++++++++++
 src/PVE/DataCenterConfig.pm | 64 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 121 insertions(+), 1 deletion(-)


pve-manager:

Maximiliano Sandoval (3):
  api: subscription: use new proxy dc option
  api: apt: use new dc proxy option
  api: nodes: use new dc proxy option

 PVE/API2/APT.pm          |  7 +++++--
 PVE/API2/Nodes.pm        | 11 ++++++++---
 PVE/API2/Subscription.pm |  4 ++--
 3 files changed, 15 insertions(+), 7 deletions(-)


pve-storage:

Maximiliano Sandoval (1):
  api: storage: status: use new dc proxy option

 src/PVE/API2/Storage/Status.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


Summary over all repositories:
  6 files changed, 138 insertions(+), 10 deletions(-)

-- 
Generated by git-murpp 0.8.1


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH cluster 1/3] datacenter config: add setting for HTTP{, S} proxies

[Maximiliano Sandoval]

Adds a 'proxy' setting which is meant to replace 'http_proxy'. This new
setting allows to specify different HTTP and HTTPS proxies for different
pieces of the stack.

In the UI each option would set both the HTTP and HTTPS proxies together
to the same value to avoid configuration mistakes, e.g. if only one
proxy is set.

The use-case this option intends to cover is a proxy which allows to
proxy HTTP(S) requests to the outside but will reject any connection to
resources which are already in the internal network, for this cases the
'none' option would declare that no proxy should be used.

The {proxy}->{global} default key of the property string acts as a
drop-in replacement for the {http_proxy} setting. However, we document
that this will be used both as a HTTP and a HTTPS proxy which was not
done always for the 'http_proxy' setting.

Individual proxy configurations accept a 'none' value that allows to say
that no proxy should be used for this use-case, this takes precedence
over both the new global proxy and the 'http_proxy'.

Subscriptions only need HTTPS proxies and thus we do not offer the
option to setup a HTTP proxy here.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 src/PVE/DataCenterConfig.pm | 60 +++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/src/PVE/DataCenterConfig.pm b/src/PVE/DataCenterConfig.pm
index c6d56c1..57c5c1c 100644
--- a/src/PVE/DataCenterConfig.pm
+++ b/src/PVE/DataCenterConfig.pm
@@ -120,6 +120,52 @@ my $notification_format = {
     },
 };
 
+my $proxy_format = {
+    'global' => {
+        default_key => 1,
+        optional => 1,
+        type => 'string',
+        description => "Proxy used as a fallback. It will be used when the respective component does not have a proxy defined. Will be used both as a HTTP and HTTPS proxies.",
+        pattern => "http://.*",
+        format_description => 'URL',
+    },
+    'http-download' => {
+        optional => 1,
+        type => 'string',
+        description => "HTTP proxy used for downloading ISOs and container templates. When set to 'none' no proxy will be used.",
+        pattern => "(http://.*|none)",
+        format_description => 'URL',
+    },
+    'https-download' => {
+        optional => 1,
+        description => "HTTPS proxy used for downloading ISOs and container templates. When set to 'none' no proxy will be used.",
+        type => 'string',
+        pattern => "(http://.*|none)",
+        format_description => 'URL',
+    },
+    'https-subscription' => {
+        optional => 1,
+        description => "HTTPS proxy used for subscription related tasks. When set to 'none' no proxy will be used.",
+        type => 'string',
+        pattern => "(http://.*|none)",
+        format_description => 'URL',
+    },
+    'http-apt' => {
+        optional => 1,
+        description => "HTTP proxy used for APT. When set to 'none' no proxy will be used.",
+        type => 'string',
+        pattern => "(http://.*|none)",
+        format_description => 'URL',
+    },
+    'https-apt' => {
+        optional => 1,
+        description => "HTTPS proxy used for APT. When set to 'none' no proxy will be used.",
+        type => 'string',
+        pattern => "(http://.*|none)",
+        format_description => 'URL',
+    },
+};
+
 register_standard_option(
     'pve-ha-shutdown-policy',
     {
@@ -352,6 +398,12 @@ my $datacenter_schema = {
                 "Specify external http proxy which is used for downloads (example: 'http://username:password\@host:port/')",
             pattern => "http://.*",
         },
+        proxy => {
+            optional => 1,
+            type => 'string',
+            description => "Settings for declaring HTTP and HTTPS proxies for individual components. When a specific proxy is not specied 'http_proxy' will be used instead.",
+            format => $proxy_format,
+        },
         # FIXME: remove with 8.0 (add check to pve7to8!), merged into "migration" since 4.3
         migration_unsecure => {
             optional => 1,
@@ -536,6 +588,10 @@ sub parse_datacenter_config {
         $res->{replication} = parse_property_string($replication_format, $replication);
     }
 
+    if (my $proxy = $res->{proxy}) {
+        $res->{proxy} = parse_property_string($proxy_format, $proxy);
+    }
+
     if (my $next_id = $res->{'next-id'}) {
         $res->{'next-id'} = parse_property_string($next_id_format, $next_id);
     }
@@ -619,6 +675,10 @@ sub write_datacenter_config {
         $cfg->{replication} = PVE::JSONSchema::print_property_string($replication, $replication_format);
     }
 
+    if (ref(my $proxy = $cfg->{proxy})) {
+        $cfg->{proxy} = PVE::JSONSchema::print_property_string($proxy, $proxy_format);
+    }
+
     if (defined(my $next_id = $cfg->{'next-id'})) {
         $next_id = parse_property_string($next_id_format, $next_id) if !ref($next_id);
 
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH cluster 2/3] datacenter config: deprecate http_proxy

[Maximiliano Sandoval]

Replaced by the 'proxy' option.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 src/PVE/DataCenterConfig.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/PVE/DataCenterConfig.pm b/src/PVE/DataCenterConfig.pm
index 57c5c1c..a05f307 100644
--- a/src/PVE/DataCenterConfig.pm
+++ b/src/PVE/DataCenterConfig.pm
@@ -391,11 +391,13 @@ my $datacenter_schema = {
                 'zh_TW', # Chinese (Traditional)
             ],
         },
+        # FIXME: Remove in Proxmox VE 10.0 (add check to pve9to10).
         http_proxy => {
             optional => 1,
             type => 'string',
             description =>
-                "Specify external http proxy which is used for downloads (example: 'http://username:password\@host:port/')",
+                "Deprecated, use the 'proxy' property instead.\n\n"
+                . "Specify external http proxy which is used for downloads (example: 'http://username:password\@host:port/')",
             pattern => "http://.*",
         },
         proxy => {
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH cluster 3/3] cluster: add helper to retrieve proxies

[Maximiliano Sandoval]

This will take into account the multiple layers of fallbacks and has
some rudimentary error handling.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 src/PVE/Cluster.pm | 58 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/src/PVE/Cluster.pm b/src/PVE/Cluster.pm
index e829687..7e7f180 100644
--- a/src/PVE/Cluster.pm
+++ b/src/PVE/Cluster.pm
@@ -25,6 +25,7 @@ use PVE::Cluster::IPCConst;
 use base 'Exporter';
 
 our @EXPORT_OK = qw(
+    get_proxy
     cfs_read_file
     cfs_write_file
     cfs_register_file
@@ -904,4 +905,61 @@ sub cfs_backup_database {
     return $dbfile;
 }
 
+=head3 get_proxy($scalar, $scalar, $scalar)
+
+Returns the proxy to be used for a given protocol and use-case.
+
+Parameters:
+
+=over
+
+=item C<$dccfg>
+
+The datacenter's configuration.
+
+=item C<$protocol>
+
+The protocol of the connection, can be one of C<http> or C<https>.
+
+=item C<$type>
+
+The use-case for the proxy. It can one of C<apt>, C<download>, or C<subscription>.
+
+=back
+
+=cut
+
+sub get_proxy {
+    my ($dccfg, $protocol, $type) = @_;
+
+    if ($protocol ne 'http' && $protocol ne 'https') {
+        die "Unsupported protocol $protocol when obtaining a proxy\n";
+    }
+
+    my $proxy;
+
+    # This could be simplified with some f-strings, but it is intentionally left
+    # out in a verbose form to accommodate for edge cases, like subscriptions
+    # which are exclusively handled with a HTTPS proxy.
+    if ($type eq 'subscription' && $protocol eq 'https') {
+        $proxy = $dccfg->{proxy}->{'https-subscription'};
+    } elsif ($type eq 'download' && $protocol eq 'http') {
+        $proxy = $dccfg->{proxy}->{'http-download'};
+    } elsif ($type eq 'download' && $protocol eq 'https') {
+        $proxy = $dccfg->{proxy}->{'https-download'};
+    } elsif ($type eq 'apt' && $protocol eq 'http') {
+        $proxy = $dccfg->{proxy}->{'http-apt'};
+    } elsif ($type eq 'apt' && $protocol eq 'https') {
+        $proxy = $dccfg->{proxy}->{'https-apt'};
+    } else {
+        die "Unsupported type $type for protocol $protocol when obtaining a proxy\n";
+    }
+
+    $proxy //= $dccfg->{proxy}->{global};
+    $proxy //= $dccfg->{http_proxy};
+    $proxy = undef if $proxy eq 'none';
+
+    return $proxy;
+}
+
 1;
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 1/3] api: subscription: use new proxy dc option

[Maximiliano Sandoval]

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 PVE/API2/Subscription.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/Subscription.pm b/PVE/API2/Subscription.pm
index 59e7fe74..a810f334 100644
--- a/PVE/API2/Subscription.pm
+++ b/PVE/API2/Subscription.pm
@@ -277,7 +277,7 @@ __PACKAGE__->register_method({
         check_key($key, $req_sockets);
 
         my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
-        my $proxy = $dccfg->{http_proxy};
+        my $proxy = PVE::Cluster::get_proxy($dccfg, 'https', 'subscription');
 
         $info = Proxmox::RS::Subscription::check_subscription(
             $key, $server_id, "", "Proxmox VE", $proxy,
@@ -331,7 +331,7 @@ __PACKAGE__->register_method({
         write_etc_subscription($new_info);
 
         my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
-        my $proxy = $dccfg->{http_proxy};
+        my $proxy = PVE::Cluster::get_proxy($dccfg, 'https', 'subscription');
 
         my $checked_info = Proxmox::RS::Subscription::check_subscription(
             $key, $server_id, "", "Proxmox VE", $proxy,
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 2/3] api: apt: use new dc proxy option

[Maximiliano Sandoval]

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 PVE/API2/APT.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/PVE/API2/APT.pm b/PVE/API2/APT.pm
index 1ccbaf97..521cee9d 100644
--- a/PVE/API2/APT.pm
+++ b/PVE/API2/APT.pm
@@ -336,8 +336,11 @@ __PACKAGE__->register_method({
             # setup proxy for apt
 
             my $aptconf = "// no proxy configured\n";
-            if ($dcconf->{http_proxy}) {
-                $aptconf = "Acquire::http::Proxy \"$dcconf->{http_proxy}\";\n";
+            if (my $http_proxy = PVE::Cluster::get_proxy($dcconf, 'http', 'apt')) {
+                $aptconf = "Acquire::http::Proxy \"$http_proxy\";\n";
+            }
+            if (my $https_proxy = PVE::Cluster::get_proxy($dcconf, 'https', 'apt')) {
+                $aptconf .= "Acquire::https::Proxy \"$https_proxy\";\n";
             }
             my $aptcfn = "/etc/apt/apt.conf.d/76pveproxy";
             PVE::Tools::file_set_contents($aptcfn, $aptconf);
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH manager 3/3] api: nodes: use new dc proxy option

[Maximiliano Sandoval]

For the 'apl_download' and the 'query_url_metadata' API endpoints.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 PVE/API2/Nodes.pm | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/PVE/API2/Nodes.pm b/PVE/API2/Nodes.pm
index 4590b618..fde8229b 100644
--- a/PVE/API2/Nodes.pm
+++ b/PVE/API2/Nodes.pm
@@ -1750,7 +1750,8 @@ __PACKAGE__->register_method({
                     hash_required => 1,
                     sha512sum => $appliance->{sha512sum},
                     md5sum => $appliance->{md5sum},
-                    http_proxy => $dccfg->{http_proxy},
+                    http_proxy => PVE::Cluster::get_proxy($dccfg, 'http', 'download'),
+                    https_proxy => PVE::Cluster::get_proxy($dccfg, 'https', 'download'),
                 },
             );
         };
@@ -1818,8 +1819,12 @@ __PACKAGE__->register_method({
         $ua->agent("Proxmox VE");
 
         my $dccfg = PVE::Cluster::cfs_read_file('datacenter.cfg');
-        if ($dccfg->{http_proxy}) {
-            $ua->proxy(['http', 'https'], $dccfg->{http_proxy});
+        if (my $http_proxy = PVE::Cluster::get_proxy($dccfg, 'http', 'download')) {
+            $ua->proxy('http', $http_proxy);
+        }
+
+        if (my $https_proxy = PVE::Cluster::get_proxy($dccfg, 'https', 'download')) {
+            $ua->proxy('https', $https_proxy);
         }
 
         my $verify = $param->{'verify-certificates'} // 1;
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

[pve-devel] [PATCH storage 1/1] api: storage: status: use new dc proxy option

[Maximiliano Sandoval]

For the 'download_url' endpoint.

Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
 src/PVE/API2/Storage/Status.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/Storage/Status.pm b/src/PVE/API2/Storage/Status.pm
index 7bde4ecb..e1380e46 100644
--- a/src/PVE/API2/Storage/Status.pm
+++ b/src/PVE/API2/Storage/Status.pm
@@ -822,8 +822,8 @@ __PACKAGE__->register_method({
         my $opts = {
             hash_required => 0,
             verify_certificates => $param->{'verify-certificates'} // 1,
-            http_proxy => $dccfg->{http_proxy},
-            https_proxy => $dccfg->{http_proxy},
+            http_proxy => PVE::Cluster::get_proxy($dccfg, 'http', 'download'),
+            https_proxy => PVE::Cluster::get_proxy($dccfg, 'https', 'download'),
         };
 
         my ($checksum, $checksum_algorithm) = $param->@{ 'checksum', 'checksum-algorithm' };
-- 
2.47.3



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel