Re: [pve-devel] [PATCH common/manager/http-server/docs] improve binding, docs and access-control for pveproxy/spiceproxy

[Thomas Lamprecht <t.lamprecht@proxmox.com>]

On 04.05.21 13:25, Oguz Bektas wrote:
> hi,
> 
> thank you for the fixes :)
> 
> 
> tested the following to verify:
>> I tested it in the following scenarios:
>> * ipv6 disabled via kernel commandline (listen on 0.0.0.0)
>> * ipv6 disabled via sysctl (listen on 0.0.0.0)
>> * no settings dual-stacked (listen on *)
>> * no settings v6 only (listen on *)
>>
> and tested some scenarios also with ALLOW_FROM and LISTEN_IP.

Please list what scenarios you actually tested, else a T-b tag is not really
telling... I mean, you said you tested the patches you send too, but obv. not in
IPv6 disable setups, so having the actual list of things here can really help.

If unsure, check out how Dominic reports such things, those are always good,
concise but not leaving out interesting (test scenario/setup) details.

For example,
https://lists.proxmox.com/pipermail/pve-devel/2021-March/047375.html
https://lists.proxmox.com/pipermail/pve-devel/2021-April/047827.html

> 
> it's also worth noting that disabling ipv6 in the commandline will
> change the access.log format to show the standard IPv4 address instead
> of the mapped v6 address.

good note, could have been used in the new "Disabling IPv6 on the Node" docs
section Stoiko adds.

Updating https://pve.proxmox.com/wiki/Fail2ban could help too, or did you
already check if mapped notation works there too just fine with the config
proposal from the wiki?