* [pve-devel] [PATCH SERIES manager/http-server/docs] fix #5699: add support for real IP
@ 2024-09-10 0:30 Thomas Skinner
2024-09-10 0:30 ` [pve-devel] [PATCH docs 1/1] fix #5699: pveproxy: add docs for real IP support Thomas Skinner
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Thomas Skinner @ 2024-09-10 0:30 UTC (permalink / raw)
To: pve-devel
This patch series adds support for setting a HTTP header for passing through a client IP
address for logging purposes. Two settings are introduced for /etc/default/pveproxy:
PROXY_REAL_IP_HEADER: defines a HTTP header to extract a client IP address from in the request.
If the IP address is invalid, it is ignored. Otherwise, it is logged in addition to
the sending peer IP address.
TRUSTED_PROXY_IPS: defines a list of IP addresses or ranges that are allowed to set
the header defined in PROXY_REAL_IP_HEADER. If this setting is not set, any requests
with the PROXY_REAL_IP_HEADER set will have the extracted IP address logged.
pve-docs:
Thomas Skinner (1):
fix #5699: pveproxy: add docs for real IP support
pveproxy.adoc | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
pve-http-server:
Thomas Skinner (1):
fix #5699: pveproxy: add library methods for real IP support
src/PVE/APIServer/AnyEvent.pm | 43 ++++++++++++++++++++++++++++++++---
src/PVE/APIServer/Utils.pm | 15 ++++++++++++
2 files changed, 55 insertions(+), 3 deletions(-)
pve-manager:
Thomas Skinner (1):
fix #5699: pveproxy: add settings for real IP support
PVE/Service/pveproxy.pm | 2 ++
1 file changed, 2 insertions(+)
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread* [pve-devel] [PATCH docs 1/1] fix #5699: pveproxy: add docs for real IP support 2024-09-10 0:30 [pve-devel] [PATCH SERIES manager/http-server/docs] fix #5699: add support for real IP Thomas Skinner @ 2024-09-10 0:30 ` Thomas Skinner 2024-11-13 11:36 ` Fabian Grünbichler 2024-09-10 0:30 ` [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods " Thomas Skinner 2024-09-10 0:30 ` [pve-devel] [PATCH manager 1/1] fix #5699: pveproxy: add settings " Thomas Skinner 2 siblings, 1 reply; 6+ messages in thread From: Thomas Skinner @ 2024-09-10 0:30 UTC (permalink / raw) To: pve-devel --- pveproxy.adoc | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/pveproxy.adoc b/pveproxy.adoc index 4b5dac0..f0ae0f7 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -198,6 +198,35 @@ content, if the client supports it. This can disabled in `/etc/default/pveproxy` COMPRESSION=0 +[[pveproxy_real_ip]] +Real Client IP Logging +---------------------- + +By default, `pveproxy` logs the IP address of the client that sent the request. +In cases where a proxy server is in front of `pveproxy`, it may be desirable to +log the IP of the client making the request instead of the proxy IP. + +To enable processing of a HTTP header set by the proxy for logging purposes, set +`PROXY_REAL_IP_HEADER` to the name of the header to retrieve the client IP from. For +example: + + PROXY_REAL_IP_HEADER="X-Forwarded-For" + +Any invalid values passed in this header will be ignored. + +The default behavior is log the value in this header on all incoming requests. +To define a list of proxy servers that should be trusted to set the above HTTP +header, set `TRUSTED_PROXY_IPS`, for example: + + TRUSTED_PROXY_IPS="192.168.0.2" + +The `TRUSTED_PROXY_IPS` setting also supports values similar to the `ALLOW_FROM` +and `DENY_FROM` settings. + +IP addresses can be specified using any syntax understood by `Net::IP`. The +name `all` is an alias for `0/0` and `::/0` (meaning all IPv4 and IPv6 +addresses). + ifdef::manvolnum[] include::pve-copyright.adoc[] endif::manvolnum[] -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH docs 1/1] fix #5699: pveproxy: add docs for real IP support 2024-09-10 0:30 ` [pve-devel] [PATCH docs 1/1] fix #5699: pveproxy: add docs for real IP support Thomas Skinner @ 2024-11-13 11:36 ` Fabian Grünbichler 0 siblings, 0 replies; 6+ messages in thread From: Fabian Grünbichler @ 2024-11-13 11:36 UTC (permalink / raw) To: Proxmox VE development discussion; +Cc: Thomas Skinner thanks for sending docs along with your feature patch! this one looks good to me, but see my comments on the feature patch itself. On September 10, 2024 2:30 am, Thomas Skinner wrote: > --- > pveproxy.adoc | 29 +++++++++++++++++++++++++++++ > 1 file changed, 29 insertions(+) > > diff --git a/pveproxy.adoc b/pveproxy.adoc > index 4b5dac0..f0ae0f7 100644 > --- a/pveproxy.adoc > +++ b/pveproxy.adoc > @@ -198,6 +198,35 @@ content, if the client supports it. This can disabled in `/etc/default/pveproxy` > > COMPRESSION=0 > > +[[pveproxy_real_ip]] > +Real Client IP Logging > +---------------------- > + > +By default, `pveproxy` logs the IP address of the client that sent the request. > +In cases where a proxy server is in front of `pveproxy`, it may be desirable to > +log the IP of the client making the request instead of the proxy IP. > + > +To enable processing of a HTTP header set by the proxy for logging purposes, set > +`PROXY_REAL_IP_HEADER` to the name of the header to retrieve the client IP from. For > +example: > + > + PROXY_REAL_IP_HEADER="X-Forwarded-For" > + > +Any invalid values passed in this header will be ignored. > + > +The default behavior is log the value in this header on all incoming requests. > +To define a list of proxy servers that should be trusted to set the above HTTP > +header, set `TRUSTED_PROXY_IPS`, for example: > + > + TRUSTED_PROXY_IPS="192.168.0.2" > + > +The `TRUSTED_PROXY_IPS` setting also supports values similar to the `ALLOW_FROM` > +and `DENY_FROM` settings. > + > +IP addresses can be specified using any syntax understood by `Net::IP`. The > +name `all` is an alias for `0/0` and `::/0` (meaning all IPv4 and IPv6 > +addresses). > + > ifdef::manvolnum[] > include::pve-copyright.adoc[] > endif::manvolnum[] > -- > 2.39.2 > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods for real IP support 2024-09-10 0:30 [pve-devel] [PATCH SERIES manager/http-server/docs] fix #5699: add support for real IP Thomas Skinner 2024-09-10 0:30 ` [pve-devel] [PATCH docs 1/1] fix #5699: pveproxy: add docs for real IP support Thomas Skinner @ 2024-09-10 0:30 ` Thomas Skinner 2024-11-13 11:34 ` Fabian Grünbichler 2024-09-10 0:30 ` [pve-devel] [PATCH manager 1/1] fix #5699: pveproxy: add settings " Thomas Skinner 2 siblings, 1 reply; 6+ messages in thread From: Thomas Skinner @ 2024-09-10 0:30 UTC (permalink / raw) To: pve-devel --- src/PVE/APIServer/AnyEvent.pm | 43 ++++++++++++++++++++++++++++++++--- src/PVE/APIServer/Utils.pm | 15 ++++++++++++ 2 files changed, 55 insertions(+), 3 deletions(-) diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm index a8d60c1..c2afb4d 100644 --- a/src/PVE/APIServer/AnyEvent.pm +++ b/src/PVE/APIServer/AnyEvent.pm @@ -85,20 +85,21 @@ sub log_request { my $loginfo = $reqstate->{log}; - # like apache2 common log format - # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" + # like apache2 common log format + client IP address + # LogFormat "%a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" return if $loginfo->{written}; # avoid duplicate logs $loginfo->{written} = 1; my $peerip = $reqstate->{peer_host} || '-'; + my $realip = $loginfo->{real_ip} || $peerip; my $userid = $loginfo->{userid} || '-'; my $content_length = defined($loginfo->{content_length}) ? $loginfo->{content_length} : '-'; my $code = $loginfo->{code} || 500; my $requestline = $loginfo->{requestline} || '-'; my $timestr = strftime("%d/%m/%Y:%H:%M:%S %z", localtime()); - my $msg = "$peerip - $userid [$timestr] \"$requestline\" $code $content_length\n"; + my $msg = "$realip $peerip - $userid [$timestr] \"$requestline\" $code $content_length\n"; $self->write_log($msg); } @@ -1462,6 +1463,14 @@ sub authenticate_and_handle_request { my $auth = {}; + if ($self->{proxy_real_ip_header} && $request->header($self->{proxy_real_ip_header})) { + my $real_ip = Net::IP->new($request->header($self->{proxy_real_ip_header})) || undef; + $reqstate->{log}->{real_ip} = Net::IP::ip_compress_address( + $real_ip->ip(), + $real_ip->version(), + ) if defined($real_ip) && $self->check_trusted_proxy($reqstate->{peer_host}); + } + if ($self->{spiceproxy}) { my $connect_str = $request->header('Host'); my ($vmid, $node, $port) = $self->verify_spice_connect_url($connect_str); @@ -1801,6 +1810,34 @@ sub check_host_access { return $match_allow; } +sub check_trusted_proxy { + my ($self, $clientip) = @_; + + $clientip = PVE::APIServer::Utils::normalize_v4_in_v6($clientip); + my $cip = Net::IP->new($clientip); + + if (!$cip) { + $self->dprint("client IP not parsable: $@"); + return 0; + } + + my $match_trusted_proxy = 0; + + if ($self->{trusted_proxy_ips}) { + foreach my $t (@{$self->{trusted_proxy_ips}}) { + if ($t->overlaps($cip)) { + $match_trusted_proxy = 1; + $self->dprint("client IP in trusted proxies: ". $t->print()); + last; + } + } + } else { + $match_trusted_proxy = 1; + } + + return $match_trusted_proxy; +} + sub accept_connections { my ($self) = @_; diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm index 5728d97..f7cff29 100644 --- a/src/PVE/APIServer/Utils.pm +++ b/src/PVE/APIServer/Utils.pm @@ -26,6 +26,8 @@ sub read_proxy_config { $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";'; $shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";'; $shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";'; + $shcmd .= 'echo \"PROXY_REAL_IP_HEADER:\$PROXY_REAL_IP_HEADER\";'; + $shcmd .= 'echo \"TRUSTED_PROXY_IPS:\$TRUSTED_PROXY_IPS\";'; my $data = -f $conffile ? `bash -c "$shcmd"` : ''; @@ -65,6 +67,19 @@ sub read_proxy_config { $res->{$key} = $value; } elsif ($key eq 'TLS_KEY_FILE') { $res->{$key} = $value; + } elsif ($key eq 'PROXY_REAL_IP_HEADER') { + $res->{$key} = $value; + } elsif ($key eq 'TRUSTED_PROXY_IPS') { + my $ips = []; + foreach my $ip (split(/,/, $value)) { + if ($ip eq 'all') { + push @$ips, Net::IP->new('0/0') || die Net::IP::Error() . "\n"; + push @$ips, Net::IP->new('::/0') || die Net::IP::Error() . "\n"; + next; + } + push @$ips, Net::IP->new(normalize_v4_in_v6($ip)) || die Net::IP::Error() . "\n"; + } + $res->{$key} = $ips; } elsif (grep { $key eq $_ } @$boolean_options) { die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/; $res->{$key} = $value; -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods for real IP support 2024-09-10 0:30 ` [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods " Thomas Skinner @ 2024-11-13 11:34 ` Fabian Grünbichler 0 siblings, 0 replies; 6+ messages in thread From: Fabian Grünbichler @ 2024-11-13 11:34 UTC (permalink / raw) To: Proxmox VE development discussion On September 10, 2024 2:30 am, Thomas Skinner wrote: > --- > src/PVE/APIServer/AnyEvent.pm | 43 ++++++++++++++++++++++++++++++++--- > src/PVE/APIServer/Utils.pm | 15 ++++++++++++ > 2 files changed, 55 insertions(+), 3 deletions(-) > > diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm > index a8d60c1..c2afb4d 100644 > --- a/src/PVE/APIServer/AnyEvent.pm > +++ b/src/PVE/APIServer/AnyEvent.pm > @@ -85,20 +85,21 @@ sub log_request { > > my $loginfo = $reqstate->{log}; > > - # like apache2 common log format > - # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" > + # like apache2 common log format + client IP address > + # LogFormat "%a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" this has the potential to break a lot of things analysing this log file.. would it make sense to only do it conditionally (if a "real IP" is set)? or *just* log the "real IP" instead of the peerip (which would be backwards-compatible as well)? > > return if $loginfo->{written}; # avoid duplicate logs > $loginfo->{written} = 1; > > my $peerip = $reqstate->{peer_host} || '-'; > + my $realip = $loginfo->{real_ip} || $peerip; > my $userid = $loginfo->{userid} || '-'; > my $content_length = defined($loginfo->{content_length}) ? $loginfo->{content_length} : '-'; > my $code = $loginfo->{code} || 500; > my $requestline = $loginfo->{requestline} || '-'; > my $timestr = strftime("%d/%m/%Y:%H:%M:%S %z", localtime()); > > - my $msg = "$peerip - $userid [$timestr] \"$requestline\" $code $content_length\n"; > + my $msg = "$realip $peerip - $userid [$timestr] \"$requestline\" $code $content_length\n"; > > $self->write_log($msg); > } > @@ -1462,6 +1463,14 @@ sub authenticate_and_handle_request { > > my $auth = {}; > > + if ($self->{proxy_real_ip_header} && $request->header($self->{proxy_real_ip_header})) { > + my $real_ip = Net::IP->new($request->header($self->{proxy_real_ip_header})) || undef; > + $reqstate->{log}->{real_ip} = Net::IP::ip_compress_address( > + $real_ip->ip(), > + $real_ip->version(), > + ) if defined($real_ip) && $self->check_trusted_proxy($reqstate->{peer_host}); the alignment/indentation is off there, and the mixing of ifs and postifs is also not easily readable.. maybe: if (my $hdr = $self->{proxy_real_ip_header}) { if (my $value = $request->header($hdr})) { my $real_ip = Net::IP->new($value); if (defined($real_ip) && $self->check_trusted_proxy($peerip)) { $reqstate->{log}->{real_ip} = Net::IP::ip_compress_address( $real_ip->ip(), $real_ip->version(), ); } } } > + } > + > if ($self->{spiceproxy}) { > my $connect_str = $request->header('Host'); > my ($vmid, $node, $port) = $self->verify_spice_connect_url($connect_str); > @@ -1801,6 +1810,34 @@ sub check_host_access { > return $match_allow; > } > > +sub check_trusted_proxy { > + my ($self, $clientip) = @_; > + > + $clientip = PVE::APIServer::Utils::normalize_v4_in_v6($clientip); > + my $cip = Net::IP->new($clientip); > + > + if (!$cip) { > + $self->dprint("client IP not parsable: $@"); > + return 0; > + } > + > + my $match_trusted_proxy = 0; this is not needed, you can just return directly below.. > + > + if ($self->{trusted_proxy_ips}) { > + foreach my $t (@{$self->{trusted_proxy_ips}}) { this line doesn't really match our perl style ;) > + if ($t->overlaps($cip)) { > + $match_trusted_proxy = 1; > + $self->dprint("client IP in trusted proxies: ". $t->print()); > + last; > + } > + } > + } else { > + $match_trusted_proxy = 1; > + } > + > + return $match_trusted_proxy; > +} > + > sub accept_connections { > my ($self) = @_; > > diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm > index 5728d97..f7cff29 100644 > --- a/src/PVE/APIServer/Utils.pm > +++ b/src/PVE/APIServer/Utils.pm > @@ -26,6 +26,8 @@ sub read_proxy_config { > $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";'; > $shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";'; > $shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";'; > + $shcmd .= 'echo \"PROXY_REAL_IP_HEADER:\$PROXY_REAL_IP_HEADER\";'; > + $shcmd .= 'echo \"TRUSTED_PROXY_IPS:\$TRUSTED_PROXY_IPS\";'; > > my $data = -f $conffile ? `bash -c "$shcmd"` : ''; > > @@ -65,6 +67,19 @@ sub read_proxy_config { > $res->{$key} = $value; > } elsif ($key eq 'TLS_KEY_FILE') { > $res->{$key} = $value; > + } elsif ($key eq 'PROXY_REAL_IP_HEADER') { > + $res->{$key} = $value; > + } elsif ($key eq 'TRUSTED_PROXY_IPS') { > + my $ips = []; > + foreach my $ip (split(/,/, $value)) { > + if ($ip eq 'all') { > + push @$ips, Net::IP->new('0/0') || die Net::IP::Error() . "\n"; > + push @$ips, Net::IP->new('::/0') || die Net::IP::Error() . "\n"; > + next; > + } > + push @$ips, Net::IP->new(normalize_v4_in_v6($ip)) || die Net::IP::Error() . "\n"; > + } > + $res->{$key} = $ips; > } elsif (grep { $key eq $_ } @$boolean_options) { > die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/; > $res->{$key} = $value; > -- > 2.39.2 > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > > _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH manager 1/1] fix #5699: pveproxy: add settings for real IP support 2024-09-10 0:30 [pve-devel] [PATCH SERIES manager/http-server/docs] fix #5699: add support for real IP Thomas Skinner 2024-09-10 0:30 ` [pve-devel] [PATCH docs 1/1] fix #5699: pveproxy: add docs for real IP support Thomas Skinner 2024-09-10 0:30 ` [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods " Thomas Skinner @ 2024-09-10 0:30 ` Thomas Skinner 2 siblings, 0 replies; 6+ messages in thread From: Thomas Skinner @ 2024-09-10 0:30 UTC (permalink / raw) To: pve-devel --- PVE/Service/pveproxy.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm index ac108545..66db7a73 100755 --- a/PVE/Service/pveproxy.pm +++ b/PVE/Service/pveproxy.pm @@ -115,6 +115,8 @@ sub init { honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER}, }, compression => $proxyconf->{COMPRESSION}, + proxy_real_ip_header => $proxyconf->{PROXY_REAL_IP_HEADER}, + trusted_proxy_ips => $proxyconf->{TRUSTED_PROXY_IPS}, # Note: there is no authentication for those pages and dirs! pages => { '/' => sub { get_index($self->{nodename}, @_) }, -- 2.39.2 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-11-13 11:36 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-09-10 0:30 [pve-devel] [PATCH SERIES manager/http-server/docs] fix #5699: add support for real IP Thomas Skinner 2024-09-10 0:30 ` [pve-devel] [PATCH docs 1/1] fix #5699: pveproxy: add docs for real IP support Thomas Skinner 2024-11-13 11:36 ` Fabian Grünbichler 2024-09-10 0:30 ` [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods " Thomas Skinner 2024-11-13 11:34 ` Fabian Grünbichler 2024-09-10 0:30 ` [pve-devel] [PATCH manager 1/1] fix #5699: pveproxy: add settings " Thomas Skinner
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox