From: Oguz Bektas <o.bektas@proxmox.com>
To: Thomas Lamprecht <t.lamprecht@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH common/manager/http-server/docs] improve binding, docs and access-control for pveproxy/spiceproxy
Date: Wed, 5 May 2021 11:25:28 +0200 [thread overview]
Message-ID: <20210505092528.GA10761@gaia.proxmox.com> (raw)
In-Reply-To: <4f5cc64d-199b-1943-8ca9-0ef4daf5a0c6@proxmox.com>
hi,
> > tested the following to verify:
> >> I tested it in the following scenarios:
> >> * ipv6 disabled via kernel commandline (listen on 0.0.0.0)
> >> * ipv6 disabled via sysctl (listen on 0.0.0.0)
> >> * no settings dual-stacked (listen on *)
> >> * no settings v6 only (listen on *)
> >>
> > and tested some scenarios also with ALLOW_FROM and LISTEN_IP.
>
> Please list what scenarios you actually tested, else a T-b tag is not really
> telling... I mean, you said you tested the patches you send too, but obv. not in
> IPv6 disable setups, so having the actual list of things here can really help.
>
> If unsure, check out how Dominic reports such things, those are always good,
> concise but not leaving out interesting (test scenario/setup) details.
>
> For example,
> https://lists.proxmox.com/pipermail/pve-devel/2021-March/047375.html
> https://lists.proxmox.com/pipermail/pve-devel/2021-April/047827.html
>
i tested the /etc/default/pveproxy combined with the previously
mentioned scenarios and the following settings:
----
ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"
----
----
LISTEN_IP="pve-dev-machine.proxmox.com"
ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"
----
1.2.3.4 here is my workstation IP
----
LISTEN_IP="pve-dev-machine.proxmox.com"
ALLOW_FROM="1.2.3.4"
DENY_FROM="all"
POLICY="allow"
----
----
ALLOW_FROM="1.2.3.4"
DENY_FROM="all"
POLICY="allow"
----
to check i used:
$ systemctl restart pvedaemon pveproxy spiceproxy
$ ss -antlp | grep -E '(8006|3128)'
and the result match for the scenarios that stoiko mentioned.
to test ACLs from my workstation i used curl.
> >
> > it's also worth noting that disabling ipv6 in the commandline will
> > change the access.log format to show the standard IPv4 address instead
> > of the mapped v6 address.
>
> good note, could have been used in the new "Disabling IPv6 on the Node" docs
> section Stoiko adds.
>
> Updating https://pve.proxmox.com/wiki/Fail2ban could help too, or did you
> already check if mapped notation works there too just fine with the config
> proposal from the wiki?
for fail2ban i followed the wiki steps, the configuration works also for
the v4 to v6 mapped addresses:
$ grep 'authentication failure' /var/log/daemon.log
May 5 11:17:08 pve-dev-machine pvedaemon[4120]: authentication failure;
rhost=1.2.3.4 user=root@pam msg=Authentication failure
May 5 11:19:08 pve-dev-machine pvedaemon[1831]: authentication failure;
rhost=::ffff:1.2.3.4 user=root@pam msg=Authentication failure
$ fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
...
Results
=======
Failregex: 2 total
|- #) [# of hits] regular expression
| 1) [2] pvedaemon\[.*authentication failure; rhost=<HOST> user=.*
msg=.*
`-
all seems to work with both (dual stack) ipv6 and v4-only setups
(disabled via kernel cmdline and/or sysctl), i will update the fail2ban
page to mention the last test was with 6.4
cheers,
oguz
next prev parent reply other threads:[~2021-05-05 9:29 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-04 10:12 Stoiko Ivanov
2021-05-04 10:12 ` [pve-devel] [PATCH common 1/2] daemon: drop Domain parameter from create_reusable_socket Stoiko Ivanov
2021-05-04 10:12 ` [pve-devel] [PATCH common 2/2] daemon: explicitly bind to wildcard address Stoiko Ivanov
2021-05-04 11:28 ` Wolfgang Bumiller
2021-05-04 10:12 ` [pve-devel] [PATCH manager 1/1] proxy: fix wildcard address use Stoiko Ivanov
2021-05-04 10:12 ` [pve-devel] [PATCH http-server 1/2] access control: correctly match v4-mapped-v6 addresses Stoiko Ivanov
2021-05-04 10:12 ` [pve-devel] [PATCH http-server 2/2] access control: also include ipv6 in 'all' Stoiko Ivanov
2021-05-04 10:12 ` [pve-devel] [PATCH docs 1/3] pveproxy: add note about bindv6only sysctl Stoiko Ivanov
2021-05-04 10:12 ` [pve-devel] [PATCH docs 2/3] pveproxy: update documentation on 'all' alias Stoiko Ivanov
2021-05-04 10:12 ` [pve-devel] [PATCH docs 3/3] network: shortly document disabling ipv6 support Stoiko Ivanov
2021-05-04 11:25 ` [pve-devel] [PATCH common/manager/http-server/docs] improve binding, docs and access-control for pveproxy/spiceproxy Oguz Bektas
2021-05-05 5:36 ` Thomas Lamprecht
2021-05-05 9:25 ` Oguz Bektas [this message]
2021-05-04 12:20 ` Wolfgang Bumiller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210505092528.GA10761@gaia.proxmox.com \
--to=o.bektas@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=t.lamprecht@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox