From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id B5C0E1FF2C5 for ; Mon, 8 Jul 2024 18:48:50 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DB5ADAB66; Mon, 8 Jul 2024 18:49:11 +0200 (CEST) From: Max Carrara To: pbs-devel@lists.proxmox.com Date: Mon, 8 Jul 2024 18:48:16 +0200 Message-Id: <20240708164817.689324-3-m.carrara@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240708164817.689324-1-m.carrara@proxmox.com> References: <20240708164817.689324-1-m.carrara@proxmox.com> MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.029 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH v2 proxmox 2/3] rest-server: connection: log peer address on error X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Cc: Wolfgang Bumiller Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" .. in order to make debugging easier and logs more helpful. Signed-off-by: Max Carrara --- Changes v1 --> v2: * none proxmox-rest-server/src/connection.rs | 42 ++++++++++++++++----------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/proxmox-rest-server/src/connection.rs b/proxmox-rest-server/src/connection.rs index 243348c0..470021d7 100644 --- a/proxmox-rest-server/src/connection.rs +++ b/proxmox-rest-server/src/connection.rs @@ -2,6 +2,7 @@ //! //! Hyper building block. +use std::net::SocketAddr; use std::os::unix::io::AsRawFd; use std::path::PathBuf; use std::pin::Pin; @@ -257,6 +258,7 @@ impl From<(ClientSender, InsecureClientSender)> for Sender { struct AcceptState { pub socket: InsecureClientStream, + pub peer: SocketAddr, pub acceptor: Arc>, pub accept_counter: Arc<()>, } @@ -276,9 +278,9 @@ impl AcceptBuilder { let mut shutdown_future = crate::shutdown_future().fuse(); loop { - let socket = futures::select! { + let (socket, peer) = futures::select! { res = self.try_setup_socket(&listener).fuse() => match res { - Ok(socket) => socket, + Ok(socket_peer) => socket_peer, Err(err) => { log::error!("couldn't set up TCP socket: {err}"); continue; @@ -291,12 +293,13 @@ impl AcceptBuilder { let accept_counter = Arc::clone(&accept_counter); if Arc::strong_count(&accept_counter) > self.max_pending_accepts { - log::error!("connection rejected - too many open connections"); + log::error!("[{peer}] connection rejected - too many open connections"); continue; } let state = AcceptState { socket, + peer, acceptor, accept_counter, }; @@ -328,7 +331,7 @@ impl AcceptBuilder { async fn try_setup_socket( &self, listener: &TcpListener, - ) -> Result { + ) -> Result<(InsecureClientStream, SocketAddr), Error> { let (socket, peer) = match listener.accept().await { Ok(connection) => connection, Err(error) => { @@ -338,10 +341,10 @@ impl AcceptBuilder { socket .set_nodelay(true) - .context("error while setting TCP_NODELAY on socket")?; + .with_context(|| format!("[{peer}] error while setting TCP_NODELAY on socket"))?; proxmox_sys::linux::socket::set_tcp_keepalive(socket.as_raw_fd(), self.tcp_keepalive_time) - .context("error while setting SO_KEEPALIVE on socket")?; + .with_context(|| format!("[{peer}] error while setting SO_KEEPALIVE on socket"))?; #[cfg(feature = "rate-limited-stream")] let socket = match self.lookup_rate_limiter.clone() { @@ -349,13 +352,12 @@ impl AcceptBuilder { None => RateLimitedStream::with_limiter(socket, None, None), }; - #[cfg(not(feature = "rate-limited-stream"))] - let _peer = peer; - - Ok(socket) + Ok((socket, peer)) } async fn do_accept_tls(state: AcceptState, flags: AcceptFlags, secure_sender: ClientSender) { + let peer = state.peer; + let ssl = { // limit acceptor_guard scope // Acceptor can be reloaded using the command socket "reload-certificate" command @@ -364,7 +366,9 @@ impl AcceptBuilder { match openssl::ssl::Ssl::new(acceptor_guard.context()) { Ok(ssl) => ssl, Err(err) => { - log::error!("failed to create Ssl object from Acceptor context - {err}"); + log::error!( + "[{peer}] failed to create Ssl object from Acceptor context - {err}" + ); return; } } @@ -373,7 +377,9 @@ impl AcceptBuilder { let secure_stream = match tokio_openssl::SslStream::new(ssl, state.socket) { Ok(stream) => stream, Err(err) => { - log::error!("failed to create SslStream using ssl and connection socket - {err}"); + log::error!( + "[{peer}] failed to create SslStream using ssl and connection socket - {err}" + ); return; } }; @@ -388,17 +394,17 @@ impl AcceptBuilder { match result { Ok(Ok(())) => { if secure_sender.send(Ok(secure_stream)).await.is_err() && flags.is_debug { - log::error!("detected closed connection channel"); + log::error!("[{peer}] detected closed connection channel"); } } Ok(Err(err)) => { if flags.is_debug { - log::error!("https handshake failed - {err}"); + log::error!("[{peer}] https handshake failed - {err}"); } } Err(_) => { if flags.is_debug { - log::error!("https handshake timeout"); + log::error!("[{peer}] https handshake timeout"); } } } @@ -412,6 +418,8 @@ impl AcceptBuilder { secure_sender: ClientSender, insecure_sender: InsecureClientSender, ) { + let peer = state.peer; + let client_initiates_handshake = { #[cfg(feature = "rate-limited-stream")] let socket_ref = state.socket.inner(); @@ -422,7 +430,7 @@ impl AcceptBuilder { match Self::wait_for_client_tls_handshake(socket_ref).await { Ok(initiates_handshake) => initiates_handshake, Err(err) => { - log::error!("error checking for TLS handshake: {err}"); + log::error!("[{peer}] error checking for TLS handshake: {err}"); return; } } @@ -432,7 +440,7 @@ impl AcceptBuilder { let insecure_stream = Box::pin(state.socket); if insecure_sender.send(Ok(insecure_stream)).await.is_err() && flags.is_debug { - log::error!("detected closed connection channel") + log::error!("[{peer}] detected closed connection channel") } return; -- 2.39.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel