public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Thomas Skinner <thomas@atskinner.net>
To: pve-devel@lists.proxmox.com
Cc: Thomas Skinner <thomas@atskinner.net>
Subject: [pve-devel] [PATCH http-server v2 2/3] fix #5699: pveproxy: add library methods for real IP support
Date: Wed, 11 Dec 2024 21:27:05 -0600	[thread overview]
Message-ID: <20241212032706.151121-3-thomas@atskinner.net> (raw)
In-Reply-To: <20241212032706.151121-1-thomas@atskinner.net>

Signed-off-by: Thomas Skinner <thomas@atskinner.net>
---
 src/PVE/APIServer/AnyEvent.pm | 38 ++++++++++++++++++++++++++++++++++-
 src/PVE/APIServer/Utils.pm    | 15 ++++++++++++++
 2 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 24209a1..5f15a13 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -92,13 +92,14 @@ sub log_request {
     $loginfo->{written} = 1;
 
     my $peerip = $reqstate->{peer_host} || '-';
+    my $realip = $loginfo->{real_ip} || $peerip;
     my $userid = $loginfo->{userid} || '-';
     my $content_length = defined($loginfo->{content_length}) ? $loginfo->{content_length} : '-';
     my $code =  $loginfo->{code} || 500;
     my $requestline = $loginfo->{requestline} || '-';
     my $timestr = strftime("%d/%m/%Y:%H:%M:%S %z", localtime());
 
-    my $msg = "$peerip - $userid [$timestr] \"$requestline\" $code $content_length\n";
+    my $msg = "$realip - $userid [$timestr] \"$requestline\" $code $content_length\n";
 
     $self->write_log($msg);
 }
@@ -1474,6 +1475,18 @@ sub authenticate_and_handle_request {
 
     my $auth = {};
 
+    if (my $proxy_real_ip_header = $self->{proxy_real_ip_header}) {
+	if (my $proxy_real_ip_value = $request->header($proxy_real_ip_header)) {
+	    my $real_ip = Net::IP->new($proxy_real_ip_value);
+	    if (defined($real_ip) && $self->check_allowed_proxy($reqstate->{peer_host})) {
+		$reqstate->{log}->{real_ip} = Net::IP::ip_compress_address(
+		    $real_ip->ip(), 
+		    $real_ip->version(),
+		);
+	    }
+	}
+    }
+
     if ($self->{spiceproxy}) {
 	my $connect_str = $request->header('Host');
 	my ($vmid, $node, $port) = $self->verify_spice_connect_url($connect_str);
@@ -1813,6 +1826,29 @@ sub check_host_access {
     return $match_allow;
 }
 
+sub check_allowed_proxy {
+    my ($self, $client_ip) = @_;
+
+    $client_ip = PVE::APIServer::Utils::normalize_v4_in_v6($client_ip);
+    my $client_ip_object = Net::IP->new($client_ip);
+
+    if (!$client_ip_object) {
+	$self->dprint("client IP not parsable: $@");
+	return 0;
+    }
+
+    if (my $proxy_real_ip_allow_from = $self->{proxy_real_ip_allow_from}) {
+	for my $allowed_net ($proxy_real_ip_allow_from->@*) {
+	    if ($allowed_net->overlaps($client_ip_object)) {
+		$self->dprint("client IP in allowed proxies: ". $allowed_net->print());
+		return 1;
+	    }
+	}
+	return 0;
+    }
+    return 1;
+}
+
 sub accept_connections {
     my ($self) = @_;
 
diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm
index 5728d97..75f72a1 100644
--- a/src/PVE/APIServer/Utils.pm
+++ b/src/PVE/APIServer/Utils.pm
@@ -26,6 +26,8 @@ sub read_proxy_config {
     $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
     $shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";';
     $shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";';
+    $shcmd .= 'echo \"PROXY_REAL_IP_HEADER:\$PROXY_REAL_IP_HEADER\";';
+    $shcmd .= 'echo \"PROXY_REAL_IP_ALLOW_FROM:\$PROXY_REAL_IP_ALLOW_FROM\";';
 
     my $data = -f $conffile ? `bash -c "$shcmd"` : '';
 
@@ -65,6 +67,19 @@ sub read_proxy_config {
 	    $res->{$key} = $value;
 	} elsif ($key eq 'TLS_KEY_FILE') {
 	    $res->{$key} = $value;
+	} elsif ($key eq 'PROXY_REAL_IP_HEADER') {
+	    $res->{$key} = $value;
+	} elsif ($key eq 'PROXY_REAL_IP_ALLOW_FROM') {
+	    my $ips = [];
+	    for my $ip (split(/,/, $value)) {
+		if ($ip eq 'all') {
+		    push @$ips, Net::IP->new('0/0') || die Net::IP::Error() . "\n";
+		    push @$ips, Net::IP->new('::/0') || die Net::IP::Error() . "\n";
+		    next;
+		}
+		push @$ips, Net::IP->new(normalize_v4_in_v6($ip)) || die Net::IP::Error() . "\n";
+	    }
+	    $res->{$key} = $ips;
 	} elsif (grep { $key eq $_ } @$boolean_options) {
 	    die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/;
 	    $res->{$key} = $value;
-- 
2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  parent reply	other threads:[~2024-12-12  3:28 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-12-12  3:27 [pve-devel] [PATCH SERIES manager/http-server/docs v2 0/3] fix #5699: add support for real IP Thomas Skinner
2024-12-12  3:27 ` [pve-devel] [PATCH docs v2 1/3] fix #5699: pveproxy: add docs for real IP support Thomas Skinner
2024-12-12  3:27 ` Thomas Skinner [this message]
2024-12-12  3:27 ` [pve-devel] [PATCH manager v2 3/3] fix #5699: pveproxy: add settings " Thomas Skinner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241212032706.151121-3-thomas@atskinner.net \
    --to=thomas@atskinner.net \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal