Re: [pve-devel] [RFC cluster/manager/storage 0/7] datacenter config: add setting for HTTP{, S} proxies

["Laurențiu Leahu-Vlăducu" <l.leahu-vladucu@proxmox.com>]

Hello,

This came up in our Enterprise support channel already, so I think 
having this would make quite a few people happy.

I gave this patch series a quick spin on a test cluster of mine, using 
Squid as proxy server, and everything seemed to work as expected.

Like you mentioned, adding the option to the GUI as well would be good - 
depending on how many people need this, perhaps as an advanced option 
(keeping the GUI simple in the general case).

Otherwise, LGTM!

Looking forward to the follow-up of this series!




On 21.10.25 12:04, Maximiliano Sandoval wrote:
> Most of the relevant information is in the first commit.
> 
> The intention is to have an extensible and future-proof setting where different
> proxies can be selected based on the connection protocol and the use-case. In a
> follow-up this will be exposed in the web UI, ideally leaving most of this
> complexity out, i.e. only showing the option to set up a global proxy
> (HTTP+HTTPS) and allow configuring overrides for each use-case but setting both
> HTTP+HTTPS simultaneously to the same value. If finer granularity (different
> proxies for HTTP and HTTPS) is required then the configuration file can be
> edited manually.
> 
> In follow ups the the following will be done:
> 
>   - Add more proxy overrides, e.g. for OpenID
>   - Expose it in the web UI
> 
> 
> ## Testing
> 
> On a Proxmox VE host this could be tested, for example, by configuring a proxy
> (e.g. squid [1]) at 10.10.10.138 and accepting 'out' traffic to the gateway
> (10.10.10.1) and the proxy and dropping all traffic to ports 80 and 443.
> 
> ```
> $ cat /etc/pve/firewall/cluster.fw
> [OPTIONS]
> 
> enable: 1
> 
> [RULES]
> 
> OUT ACCEPT -dest 10.10.10.138 -log nolog
> OUT ACCEPT -dest 10.10.10.1 -log nolog
> OUT DROP -p tcp -dport 443 -log nolog
> OUT DROP -p tcp -dport 80 -log nolog
> ```
> 
> Then the config can be set via:
> 
>      pvesh set /cluster/options --proxy=http://10.10.10.139:3128,https-subscription=http://10.10.10.138:3128,http-download=none
> 
> and then, for example, one can check if the following call runs or not into a
> timeout to see if the proxy is used:
> 
>      pvesubscription set $KEY
> 
> [1] https://www.squid-cache.org/
> 
> pve-cluster:
> 
> Maximiliano Sandoval (3):
>    datacenter config: add setting for HTTP{,S} proxies
>    datacenter config: deprecate http_proxy
>    cluster: add helper to retrieve proxies
> 
>   src/PVE/Cluster.pm          | 58 +++++++++++++++++++++++++++++++++
>   src/PVE/DataCenterConfig.pm | 64 ++++++++++++++++++++++++++++++++++++-
>   2 files changed, 121 insertions(+), 1 deletion(-)
> 
> 
> pve-manager:
> 
> Maximiliano Sandoval (3):
>    api: subscription: use new proxy dc option
>    api: apt: use new dc proxy option
>    api: nodes: use new dc proxy option
> 
>   PVE/API2/APT.pm          |  7 +++++--
>   PVE/API2/Nodes.pm        | 11 ++++++++---
>   PVE/API2/Subscription.pm |  4 ++--
>   3 files changed, 15 insertions(+), 7 deletions(-)
> 
> 
> pve-storage:
> 
> Maximiliano Sandoval (1):
>    api: storage: status: use new dc proxy option
> 
>   src/PVE/API2/Storage/Status.pm | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> 
> Summary over all repositories:
>    6 files changed, 138 insertions(+), 10 deletions(-)
>