From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id D885979542 for ; Tue, 4 May 2021 13:29:01 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id CC5A18CBB for ; Tue, 4 May 2021 13:28:31 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id A6C158C9E for ; Tue, 4 May 2021 13:28:30 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 772E4429F5 for ; Tue, 4 May 2021 13:28:30 +0200 (CEST) Date: Tue, 4 May 2021 13:25:03 +0200 From: Oguz Bektas To: Proxmox VE development discussion Message-ID: <20210504112503.GA15687@gaia.proxmox.com> Mail-Followup-To: Oguz Bektas , Proxmox VE development discussion References: <20210504101222.21276-1-s.ivanov@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210504101222.21276-1-s.ivanov@proxmox.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-SPAM-LEVEL: Spam detection results: 1 AWL 1.345 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [pveproxy.pm, daemon.pm, spiceproxy.pm, utils.pm, anyevent.pm, proxmox.com] Subject: Re: [pve-devel] [PATCH common/manager/http-server/docs] improve binding, docs and access-control for pveproxy/spiceproxy X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 May 2021 11:29:01 -0000 hi, thank you for the fixes :) tested the following to verify: > I tested it in the following scenarios: > * ipv6 disabled via kernel commandline (listen on 0.0.0.0) > * ipv6 disabled via sysctl (listen on 0.0.0.0) > * no settings dual-stacked (listen on *) > * no settings v6 only (listen on *) > and tested some scenarios also with ALLOW_FROM and LISTEN_IP. it's also worth noting that disabling ipv6 in the commandline will change the access.log format to show the standard IPv4 address instead of the mapped v6 address. Tested-by: Oguz Bektas On Tue, May 04, 2021 at 12:12:14PM +0200, Stoiko Ivanov wrote: > this series is based on the RFC 'use appropriate wildcard address > for pveproxy/spiceproxy' I sent some time ago: > https://lists.proxmox.com/pipermail/pve-devel/2021-April/047988.html > > changes from the RFC: > * incorporate Wolfgang's excellent feedback - huge Thanks! > (or what I took away from it): > ** instead of calling getaddrinfo a few additional times and sifting through > the results simply doing in create_reusable_socket, what we want to do: > * if not listen-address is provided try to bind to '::' and only if this > fails (due to ipv6-disablement via kernel commandline), bind to '0.0.0.0' > ** the PF_INET6 parameter added to the IO::Socket::IP->new call was unnecessary > and misleading - I dropped it > * one of the original reporters of the bind-problems also created a thread in > our community forum about the acls (ALLOW_FROM/DENY_FROM) not working anymore > when set in /etc/default/pveproxy [0] - the patches for pve-http-server > address the issue (at least in my tests) > * the 'all' ACL entry only matched IPv4 addresses, the second patch for > pve-http-server changes this. > * added 3 documentation patches - mostly for the changed behavior, although > the disabling ipv6 section in pve-networking.adoc is meant as an RFC > (I just noticed that we have not official docs, and that too many HOWTOs > suggest disabling it via kernel-cmdline, which I consider problematic) > > > > [0] https://forum.proxmox.com/threads/my-pveproxy-file-doesnt-work.83228 > original cover-letter for the RFC for reference: > The following patchset tries to address the small regression reported in our > forums [0,1], resulting from defaulting to '::' as listen-address in > pveproxy/spiceproxy. > > The issue also affects proxmox-backup-proxy in PBS - and should this approach > be accepted I'll try to port it over to PBS as well. > (ftr: pmgproxy was not affected, since the patch for pmg-api was not applied) > > In all cases the issue is only exhibited if ipv6 is diabled via kernel > commandline [2], not via sysctl [3]. > > * The patchset keeps the fix for pveproxy not starting if the /etc/hosts entry > is not matching with a configured IP-address (I noticed and was pleasantly > surprised while testing a v6only host and forgetting to set the entry) > > I tested it in the following scenarios: > * ipv6 disabled via kernel commandline (listen on 0.0.0.0) > * ipv6 disabled via sysctl (listen on 0.0.0.0) > * no settings dual-stacked (listen on *) > * no settings v6 only (listen on *) > > AFAICT listening on :: as long as possible is the best option, since it > makes the service available on all address-families (doing away, with > having a v4 only /etc/hosts entry, but a DNS AAAA record pointing to > the node for external access). > > Took a quick look at how sshd [4,5] handles this (in the assumption that > they have to get it as right as possible), but it listens on multiple > sockets, something which I'd like to avoid for our proxy-daemons. > > Sending as RFC, because whenever I come near getaddrinfo/getnameinfo I'm > certain to miss quite a few common cases. > > [0] https://forum.proxmox.com/threads/connection-refused-595-nach-update-auf-pve-6-4.88347/#post-387034 > [1] https://forum.proxmox.com/threads/ipv6-komplett-deaktivieren.88210/#post-387116 > [2] https://www.kernel.org/doc/html/latest/networking/ipv6.html > [3] https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html > [4] https://github.com/openssh/openssh-portable/blob/master/servconf.c > [5] https://github.com/openssh/openssh-portable/blob/master/sshd.c > > pve-common: > Stoiko Ivanov (2): > daemon: drop Domain parameter from create_reusable_socket > daemon: explicitly bind to wildcard address. > > src/PVE/Daemon.pm | 19 ++++++++++++++----- > 1 file changed, 14 insertions(+), 5 deletions(-) > > pve-manager: > Stoiko Ivanov (1): > proxy: fix wildcard address use > > PVE/Service/pveproxy.pm | 2 +- > PVE/Service/spiceproxy.pm | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > pve-http-server: > Stoiko Ivanov (2): > access control: correctly match v4-mapped-v6 addresses > access control: also include ipv6 in 'all' > > PVE/APIServer/AnyEvent.pm | 2 ++ > PVE/APIServer/Utils.pm | 19 +++++++++++++++++-- > 2 files changed, 19 insertions(+), 2 deletions(-) > > pve-docs: > Stoiko Ivanov (3): > pveproxy: add note about bindv6only sysctl > pveproxy: update documentation on 'all' alias > network: shortly document disabling ipv6 support > > pve-network.adoc | 19 +++++++++++++++++++ > pveproxy.adoc | 12 +++++++++++- > 2 files changed, 30 insertions(+), 1 deletion(-) > > -- > 2.20.1 > > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > >