public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Thomas Skinner <thomas@atskinner.net>
To: f.gruenbichler@proxmox.com
Cc: pve-devel@lists.proxmox.com
Subject: Re: [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods for real IP support
Date: Sun, 24 Nov 2024 17:49:38 -0600	[thread overview]
Message-ID: <20241124234938.2668814-1-thomas@atskinner.net> (raw)
In-Reply-To: <1731496954.sd63rzj5wa.astroid@yuna.none>

> On September 10, 2024 2:30 am, Thomas Skinner wrote:
>> ---
>>  src/PVE/APIServer/AnyEvent.pm | 43 ++++++++++++++++++++++++++++++++---
>>  src/PVE/APIServer/Utils.pm    | 15 ++++++++++++
>>  2 files changed, 55 insertions(+), 3 deletions(-)
>> 
>> diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
>> index a8d60c1..c2afb4d 100644
>> --- a/src/PVE/APIServer/AnyEvent.pm
>> +++ b/src/PVE/APIServer/AnyEvent.pm
>> @@ -85,20 +85,21 @@ sub log_request {
>>  
>>      my $loginfo = $reqstate->{log};
>>  
>> -    # like apache2 common log format
>> -    # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
>> +    # like apache2 common log format + client IP address
>> +    # LogFormat "%a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
>
> this has the potential to break a lot of things analysing this log
> file.. would it make sense to only do it conditionally (if a "real IP" is set)?
>
> or *just* log the "real IP" instead of the peerip (which would be
> backwards-compatible as well)?

I agree that it would break existing log analyzers. I also believe it's important
to have the option to log the peer/proxy IP as well (in the event there are multiple
proxies or that the proxy itself is the source). I'll change the formatting back to
what was there previously and add an option to log the peer IP as well.

>>  
>>      return if $loginfo->{written}; # avoid duplicate logs
>>      $loginfo->{written} = 1;
>>  
>>      my $peerip = $reqstate->{peer_host} || '-';
>> +    my $realip = $loginfo->{real_ip} || $peerip;
>>      my $userid = $loginfo->{userid} || '-';
>>      my $content_length = defined($loginfo->{content_length}) ? $loginfo->{content_length} : '-';
>>      my $code =  $loginfo->{code} || 500;
>>      my $requestline = $loginfo->{requestline} || '-';
>>      my $timestr = strftime("%d/%m/%Y:%H:%M:%S %z", localtime());
>>  
>> -    my $msg = "$peerip - $userid [$timestr] \"$requestline\" $code $content_length\n";
>> +    my $msg = "$realip $peerip - $userid [$timestr] \"$requestline\" $code $content_length\n";
>>  
>>      $self->write_log($msg);
>>  }
>> @@ -1462,6 +1463,14 @@ sub authenticate_and_handle_request {
>>  
>>      my $auth = {};
>>  
>> +    if ($self->{proxy_real_ip_header} && $request->header($self->{proxy_real_ip_header})) {
>> +	my $real_ip = Net::IP->new($request->header($self->{proxy_real_ip_header})) || undef;
>> +	$reqstate->{log}->{real_ip} = Net::IP::ip_compress_address(
>> +    	    $real_ip->ip(), 
>> +	    $real_ip->version(),
>> +	) if defined($real_ip) && $self->check_trusted_proxy($reqstate->{peer_host});
>
> the alignment/indentation is off there, and the mixing of ifs and
> postifs is also not easily readable.. maybe:
>
> if (my $hdr = $self->{proxy_real_ip_header}) {
>     if (my $value = $request->header($hdr})) {
>         my $real_ip = Net::IP->new($value);
>         if (defined($real_ip) && $self->check_trusted_proxy($peerip)) {
>             $reqstate->{log}->{real_ip} = Net::IP::ip_compress_address(
>                 $real_ip->ip(), 
>                 $real_ip->version(),
>             );
>         }
>     }
> }

I agree. After looking at my code compared to yours, mine is rather messy. Will 
fix with a combination of the two. 

>> +    }
>> +
>>      if ($self->{spiceproxy}) {
>>  	my $connect_str = $request->header('Host');
>>  	my ($vmid, $node, $port) = $self->verify_spice_connect_url($connect_str);
>> @@ -1801,6 +1810,34 @@ sub check_host_access {
>>      return $match_allow;
>>  }
>>  
>> +sub check_trusted_proxy {
>> +    my ($self, $clientip) = @_;
>> +
>> +    $clientip = PVE::APIServer::Utils::normalize_v4_in_v6($clientip);
>> +    my $cip = Net::IP->new($clientip);
>> +
>> +    if (!$cip) {
>> +	$self->dprint("client IP not parsable: $@");
>> +	return 0;
>> +    }
>> +
>> +    my $match_trusted_proxy = 0;
>
> this is not needed, you can just return directly below..

Yep, that's accurate. I had it there to match the style of the check_host_access
subroutine for consistency. Will adjust accordingly.

>> +
>> +    if ($self->{trusted_proxy_ips}) {
>> +	foreach my $t (@{$self->{trusted_proxy_ips}}) {
>
> this line doesn't really match our perl style ;)

I'm not sure what you're referring to here. I copied and modified existing code
that did nearly what I needed from the check_host_access subroutine. Could you 
elaborate or give an example of what needs to be fixed here?

>> +	    if ($t->overlaps($cip)) {
>> +		$match_trusted_proxy = 1;
>> +		$self->dprint("client IP in trusted proxies: ". $t->print());
>> +		last;
>> +	    }
>> +	}
>> +    } else {
>> +	$match_trusted_proxy = 1;
>> +    }
>> +
>> +    return $match_trusted_proxy;
>> +}
>> +
>>  sub accept_connections {
>>      my ($self) = @_;
>>  
>> diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm
>> index 5728d97..f7cff29 100644
>> --- a/src/PVE/APIServer/Utils.pm
>> +++ b/src/PVE/APIServer/Utils.pm
>> @@ -26,6 +26,8 @@ sub read_proxy_config {
>>      $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
>>      $shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";';
>>      $shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";';
>> +	$shcmd .= 'echo \"PROXY_REAL_IP_HEADER:\$PROXY_REAL_IP_HEADER\";';
>> +	$shcmd .= 'echo \"TRUSTED_PROXY_IPS:\$TRUSTED_PROXY_IPS\";';
>>  
>>      my $data = -f $conffile ? `bash -c "$shcmd"` : '';
>>  
>> @@ -65,6 +67,19 @@ sub read_proxy_config {
>>  	    $res->{$key} = $value;
>>  	} elsif ($key eq 'TLS_KEY_FILE') {
>>  	    $res->{$key} = $value;
>> +	} elsif ($key eq 'PROXY_REAL_IP_HEADER') {
>> +		$res->{$key} = $value;
>> +	} elsif ($key eq 'TRUSTED_PROXY_IPS') {
>> +		my $ips = [];
>> +	    foreach my $ip (split(/,/, $value)) {
>> +		if ($ip eq 'all') {
>> +		    push @$ips, Net::IP->new('0/0') || die Net::IP::Error() . "\n";
>> +		    push @$ips, Net::IP->new('::/0') || die Net::IP::Error() . "\n";
>> +		    next;
>> +		}
>> +		push @$ips, Net::IP->new(normalize_v4_in_v6($ip)) || die Net::IP::Error() . "\n";
>> +	    }
>> +	    $res->{$key} = $ips;
>>  	} elsif (grep { $key eq $_ } @$boolean_options) {
>>  	    die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/;
>>  	    $res->{$key} = $value;
>> -- 
>> 2.39.2
>> 
>> 
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel@lists.proxmox.com
>> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>> 
>> 
>> 
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  reply	other threads:[~2024-11-24 23:56 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-10  0:30 [pve-devel] [PATCH SERIES manager/http-server/docs] fix #5699: add support for real IP Thomas Skinner
2024-09-10  0:30 ` [pve-devel] [PATCH docs 1/1] fix #5699: pveproxy: add docs for real IP support Thomas Skinner
2024-11-13 11:36   ` Fabian Grünbichler
2024-09-10  0:30 ` [pve-devel] [PATCH http-server 1/1] fix #5699: pveproxy: add library methods " Thomas Skinner
2024-11-13 11:34   ` Fabian Grünbichler
2024-11-24 23:49     ` Thomas Skinner [this message]
2024-11-25  8:31       ` Thomas Lamprecht
2024-11-25  9:05         ` Fabian Grünbichler
2024-11-25 11:17           ` Thomas Lamprecht
2024-11-25 11:31             ` Fabian Grünbichler
2024-11-25 23:41               ` Thomas Skinner
2024-09-10  0:30 ` [pve-devel] [PATCH manager 1/1] fix #5699: pveproxy: add settings " Thomas Skinner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241124234938.2668814-1-thomas@atskinner.net \
    --to=thomas@atskinner.net \
    --cc=f.gruenbichler@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal