From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id D4CE979825 for ; Wed, 5 May 2021 07:37:01 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C9450102DF for ; Wed, 5 May 2021 07:37:01 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 1A89D102D1 for ; Wed, 5 May 2021 07:37:01 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E0C7342A8E for ; Wed, 5 May 2021 07:37:00 +0200 (CEST) Message-ID: <4f5cc64d-199b-1943-8ca9-0ef4daf5a0c6@proxmox.com> Date: Wed, 5 May 2021 07:36:59 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Thunderbird/89.0 Content-Language: en-US To: Oguz Bektas , Proxmox VE development discussion References: <20210504101222.21276-1-s.ivanov@proxmox.com> <20210504112503.GA15687@gaia.proxmox.com> From: Thomas Lamprecht In-Reply-To: <20210504112503.GA15687@gaia.proxmox.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.006 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -0.001 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Subject: Re: [pve-devel] [PATCH common/manager/http-server/docs] improve binding, docs and access-control for pveproxy/spiceproxy X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 May 2021 05:37:01 -0000 On 04.05.21 13:25, Oguz Bektas wrote: > hi, > > thank you for the fixes :) > > > tested the following to verify: >> I tested it in the following scenarios: >> * ipv6 disabled via kernel commandline (listen on 0.0.0.0) >> * ipv6 disabled via sysctl (listen on 0.0.0.0) >> * no settings dual-stacked (listen on *) >> * no settings v6 only (listen on *) >> > and tested some scenarios also with ALLOW_FROM and LISTEN_IP. Please list what scenarios you actually tested, else a T-b tag is not really telling... I mean, you said you tested the patches you send too, but obv. not in IPv6 disable setups, so having the actual list of things here can really help. If unsure, check out how Dominic reports such things, those are always good, concise but not leaving out interesting (test scenario/setup) details. For example, https://lists.proxmox.com/pipermail/pve-devel/2021-March/047375.html https://lists.proxmox.com/pipermail/pve-devel/2021-April/047827.html > > it's also worth noting that disabling ipv6 in the commandline will > change the access.log format to show the standard IPv4 address instead > of the mapped v6 address. good note, could have been used in the new "Disabling IPv6 on the Node" docs section Stoiko adds. Updating https://pve.proxmox.com/wiki/Fail2ban could help too, or did you already check if mapped notation works there too just fine with the config proposal from the wiki?