* [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy
@ 2021-02-10 16:01 Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 1/2 http-server] utils: add BIND_IP option in /etc/default/pveproxy Oguz Bektas
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Oguz Bektas @ 2021-02-10 16:01 UTC (permalink / raw)
To: pve-devel
maybe a simple approach like this is okay?
can also be called "LISTEN_IP" or similar
pve-manager:
Oguz Bektas (1):
proxy: allow setting BIND_IP for pveproxy
PVE/Service/pveproxy.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
pve-http-server:
Oguz Bektas (1):
utils: add BIND_IP option in /etc/default/pveproxy
PVE/APIServer/Utils.pm | 3 +++
1 file changed, 3 insertions(+)
--
2.20.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [RFC 1/2 http-server] utils: add BIND_IP option in /etc/default/pveproxy
2021-02-10 16:01 [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Oguz Bektas
@ 2021-02-10 16:01 ` Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy Oguz Bektas
2021-02-10 17:02 ` [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Thomas Lamprecht
2 siblings, 0 replies; 6+ messages in thread
From: Oguz Bektas @ 2021-02-10 16:01 UTC (permalink / raw)
To: pve-devel
to allow setting arbitrary IP address to listen on
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
PVE/APIServer/Utils.pm | 3 +++
1 file changed, 3 insertions(+)
diff --git a/PVE/APIServer/Utils.pm b/PVE/APIServer/Utils.pm
index e843e5f..94bacb8 100644
--- a/PVE/APIServer/Utils.pm
+++ b/PVE/APIServer/Utils.pm
@@ -14,6 +14,7 @@ sub read_proxy_config {
# Note: evaluate with bash
my $shcmd = ". $conffile;\n";
+ $shcmd .= 'echo \"BIND_IP:\$BIND_IP\";';
$shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
$shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
$shcmd .= 'echo \"POLICY:\$POLICY\";';
@@ -36,6 +37,8 @@ sub read_proxy_config {
push @$ips, Net::IP->new($ip) || die Net::IP::Error() . "\n";
}
$res->{$key} = $ips;
+ } elsif ($key eq 'BIND_IP') {
+ $res->{$key} = $value;
} elsif ($key eq 'POLICY') {
die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
$res->{$key} = $value;
--
2.20.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy
2021-02-10 16:01 [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 1/2 http-server] utils: add BIND_IP option in /etc/default/pveproxy Oguz Bektas
@ 2021-02-10 16:01 ` Oguz Bektas
2021-02-10 16:20 ` Stoiko Ivanov
2021-02-10 17:02 ` [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Thomas Lamprecht
2 siblings, 1 reply; 6+ messages in thread
From: Oguz Bektas @ 2021-02-10 16:01 UTC (permalink / raw)
To: pve-devel
default to 0.0.0.0 to preserve backwards behavior
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
---
PVE/Service/pveproxy.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index 571a6bf5..ce1d42a6 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -70,7 +70,8 @@ sub init {
die "unable to open lock file '${accept_lock_fn}' - $!\n";
my $family = PVE::Tools::get_host_address_family($self->{nodename});
- my $socket = $self->create_reusable_socket(8006, undef, $family);
+ my $bind_ip = $proxyconf->{BIND_IP} // '0.0.0.0'; # default
+ my $socket = $self->create_reusable_socket(8006, $bind_ip, $family);
my $dirs = {};
--
2.20.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy
2021-02-10 16:01 ` [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy Oguz Bektas
@ 2021-02-10 16:20 ` Stoiko Ivanov
2021-02-15 10:00 ` Oguz Bektas
0 siblings, 1 reply; 6+ messages in thread
From: Stoiko Ivanov @ 2021-02-10 16:20 UTC (permalink / raw)
To: Oguz Bektas; +Cc: Proxmox VE development discussion
Thanks for looking into this!
On Wed, 10 Feb 2021 17:01:42 +0100
Oguz Bektas <o.bektas@proxmox.com> wrote:
> default to 0.0.0.0 to preserve backwards behavior
>
> Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> ---
> PVE/Service/pveproxy.pm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> index 571a6bf5..ce1d42a6 100755
> --- a/PVE/Service/pveproxy.pm
> +++ b/PVE/Service/pveproxy.pm
> @@ -70,7 +70,8 @@ sub init {
> die "unable to open lock file '${accept_lock_fn}' - $!\n";
>
> my $family = PVE::Tools::get_host_address_family($self->{nodename});
> - my $socket = $self->create_reusable_socket(8006, undef, $family);
> + my $bind_ip = $proxyconf->{BIND_IP} // '0.0.0.0'; # default
any reason why the '0.0.0.0' is necessary? (the socket got created with
undef before after all) - Given that I find the inner workings of perl
IO::Socket::IP (which gets passed the arguments in create_reusable_socket
eventually) a bit surprising in certain situations I think leaving it as
it was might have its merit
did you test it in a few different scenarios? - e.g.:
* ipv6 only host
* dual-stacked host
* host with multiple interfaces and IPs
> + my $socket = $self->create_reusable_socket(8006, $bind_ip, $family);
>
> my $dirs = {};
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy
2021-02-10 16:01 [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 1/2 http-server] utils: add BIND_IP option in /etc/default/pveproxy Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy Oguz Bektas
@ 2021-02-10 17:02 ` Thomas Lamprecht
2 siblings, 0 replies; 6+ messages in thread
From: Thomas Lamprecht @ 2021-02-10 17:02 UTC (permalink / raw)
To: Proxmox VE development discussion, Oguz Bektas
On 10.02.21 17:01, Oguz Bektas wrote:
> maybe a simple approach like this is okay?
>
I'd rather go the way PBS does, just listen on really all by default.
PVE often uses multiple networks where the proxy needs to be able on more
than one, a single settign may not cut it in all setups.
It's simpler to just always listen on all and let admins restrict with FW
where required.
> can also be called "LISTEN_IP" or similar
>
> pve-manager:
>
> Oguz Bektas (1):
> proxy: allow setting BIND_IP for pveproxy
>
> PVE/Service/pveproxy.pm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>
> pve-http-server:
>
> Oguz Bektas (1):
> utils: add BIND_IP option in /etc/default/pveproxy
>
> PVE/APIServer/Utils.pm | 3 +++
> 1 file changed, 3 insertions(+)
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy
2021-02-10 16:20 ` Stoiko Ivanov
@ 2021-02-15 10:00 ` Oguz Bektas
0 siblings, 0 replies; 6+ messages in thread
From: Oguz Bektas @ 2021-02-15 10:00 UTC (permalink / raw)
To: Stoiko Ivanov; +Cc: Proxmox VE development discussion
hi,
thanks for responding!
On Wed, Feb 10, 2021 at 05:20:59PM +0100, Stoiko Ivanov wrote:
> Thanks for looking into this!
>
> On Wed, 10 Feb 2021 17:01:42 +0100
> Oguz Bektas <o.bektas@proxmox.com> wrote:
>
> > default to 0.0.0.0 to preserve backwards behavior
> >
> > Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
> > ---
> > PVE/Service/pveproxy.pm | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> > index 571a6bf5..ce1d42a6 100755
> > --- a/PVE/Service/pveproxy.pm
> > +++ b/PVE/Service/pveproxy.pm
> > @@ -70,7 +70,8 @@ sub init {
> > die "unable to open lock file '${accept_lock_fn}' - $!\n";
> >
> > my $family = PVE::Tools::get_host_address_family($self->{nodename});
> > - my $socket = $self->create_reusable_socket(8006, undef, $family);
> > + my $bind_ip = $proxyconf->{BIND_IP} // '0.0.0.0'; # default
> any reason why the '0.0.0.0' is necessary? (the socket got created with
> undef before after all) - Given that I find the inner workings of perl
> IO::Socket::IP (which gets passed the arguments in create_reusable_socket
> eventually) a bit surprising in certain situations I think leaving it as
> it was might have its merit
after looking at it more it looks like `undef` might be better indeed.
>
> did you test it in a few different scenarios? - e.g.:
> * ipv6 only host
> * dual-stacked host
> * host with multiple interfaces and IPs
no, i've only tested ipv4 -- i'll take a look at these too
>
> > + my $socket = $self->create_reusable_socket(8006, $bind_ip, $family);
> >
> > my $dirs = {};
> >
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2021-02-15 10:02 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-10 16:01 [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 1/2 http-server] utils: add BIND_IP option in /etc/default/pveproxy Oguz Bektas
2021-02-10 16:01 ` [pve-devel] [RFC 2/2 manager] proxy: allow setting BIND_IP for pveproxy Oguz Bektas
2021-02-10 16:20 ` Stoiko Ivanov
2021-02-15 10:00 ` Oguz Bektas
2021-02-10 17:02 ` [pve-devel] [RFC http-server manager 0/2] fix #2997: allow setting BIND_IP for proxy Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox