From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id DD54B1FF13B for ; Wed, 25 Feb 2026 10:50:03 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id D5EA9322C4; Wed, 25 Feb 2026 10:50:57 +0100 (CET) Message-ID: <4df8f55a-c4d1-43a2-ab8a-029fc8057851@proxmox.com> Date: Wed, 25 Feb 2026 10:50:20 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [pve-devel] [RFC cluster/manager/storage 0/7] datacenter config: add setting for HTTP{, S} proxies To: pve-devel@lists.proxmox.com References: <20251021100332.251697-1-m.sandoval@proxmox.com> Content-Language: en-US From: =?UTF-8?Q?Lauren=C8=9Biu_Leahu-Vl=C4=83ducu?= In-Reply-To: <20251021100332.251697-1-m.sandoval@proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1772013004108 X-SPAM-LEVEL: Spam detection results: 0 AWL -1.115 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 1.113 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.358 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.659 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: G7IVLULGYJ243IIFSVED23HXZSXQI2FB X-Message-ID-Hash: G7IVLULGYJ243IIFSVED23HXZSXQI2FB X-MailFrom: l.leahu-vladucu@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hello, This came up in our Enterprise support channel already, so I think having this would make quite a few people happy. I gave this patch series a quick spin on a test cluster of mine, using Squid as proxy server, and everything seemed to work as expected. Like you mentioned, adding the option to the GUI as well would be good - depending on how many people need this, perhaps as an advanced option (keeping the GUI simple in the general case). Otherwise, LGTM! Looking forward to the follow-up of this series! On 21.10.25 12:04, Maximiliano Sandoval wrote: > Most of the relevant information is in the first commit. > > The intention is to have an extensible and future-proof setting where different > proxies can be selected based on the connection protocol and the use-case. In a > follow-up this will be exposed in the web UI, ideally leaving most of this > complexity out, i.e. only showing the option to set up a global proxy > (HTTP+HTTPS) and allow configuring overrides for each use-case but setting both > HTTP+HTTPS simultaneously to the same value. If finer granularity (different > proxies for HTTP and HTTPS) is required then the configuration file can be > edited manually. > > In follow ups the the following will be done: > > - Add more proxy overrides, e.g. for OpenID > - Expose it in the web UI > > > ## Testing > > On a Proxmox VE host this could be tested, for example, by configuring a proxy > (e.g. squid [1]) at 10.10.10.138 and accepting 'out' traffic to the gateway > (10.10.10.1) and the proxy and dropping all traffic to ports 80 and 443. > > ``` > $ cat /etc/pve/firewall/cluster.fw > [OPTIONS] > > enable: 1 > > [RULES] > > OUT ACCEPT -dest 10.10.10.138 -log nolog > OUT ACCEPT -dest 10.10.10.1 -log nolog > OUT DROP -p tcp -dport 443 -log nolog > OUT DROP -p tcp -dport 80 -log nolog > ``` > > Then the config can be set via: > > pvesh set /cluster/options --proxy=http://10.10.10.139:3128,https-subscription=http://10.10.10.138:3128,http-download=none > > and then, for example, one can check if the following call runs or not into a > timeout to see if the proxy is used: > > pvesubscription set $KEY > > [1] https://www.squid-cache.org/ > > pve-cluster: > > Maximiliano Sandoval (3): > datacenter config: add setting for HTTP{,S} proxies > datacenter config: deprecate http_proxy > cluster: add helper to retrieve proxies > > src/PVE/Cluster.pm | 58 +++++++++++++++++++++++++++++++++ > src/PVE/DataCenterConfig.pm | 64 ++++++++++++++++++++++++++++++++++++- > 2 files changed, 121 insertions(+), 1 deletion(-) > > > pve-manager: > > Maximiliano Sandoval (3): > api: subscription: use new proxy dc option > api: apt: use new dc proxy option > api: nodes: use new dc proxy option > > PVE/API2/APT.pm | 7 +++++-- > PVE/API2/Nodes.pm | 11 ++++++++--- > PVE/API2/Subscription.pm | 4 ++-- > 3 files changed, 15 insertions(+), 7 deletions(-) > > > pve-storage: > > Maximiliano Sandoval (1): > api: storage: status: use new dc proxy option > > src/PVE/API2/Storage/Status.pm | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > > Summary over all repositories: > 6 files changed, 138 insertions(+), 10 deletions(-) >