[pve-devel] [PATCH common/manager/http-server/docs] improve binding, docs and access-control for pveproxy/spiceproxy
o.bektas at proxmox.com
Wed May 5 11:25:28 CEST 2021
> > tested the following to verify:
> >> I tested it in the following scenarios:
> >> * ipv6 disabled via kernel commandline (listen on 0.0.0.0)
> >> * ipv6 disabled via sysctl (listen on 0.0.0.0)
> >> * no settings dual-stacked (listen on *)
> >> * no settings v6 only (listen on *)
> > and tested some scenarios also with ALLOW_FROM and LISTEN_IP.
> Please list what scenarios you actually tested, else a T-b tag is not really
> telling... I mean, you said you tested the patches you send too, but obv. not in
> IPv6 disable setups, so having the actual list of things here can really help.
> If unsure, check out how Dominic reports such things, those are always good,
> concise but not leaving out interesting (test scenario/setup) details.
> For example,
i tested the /etc/default/pveproxy combined with the previously
mentioned scenarios and the following settings:
126.96.36.199 here is my workstation IP
to check i used:
$ systemctl restart pvedaemon pveproxy spiceproxy
$ ss -antlp | grep -E '(8006|3128)'
and the result match for the scenarios that stoiko mentioned.
to test ACLs from my workstation i used curl.
> > it's also worth noting that disabling ipv6 in the commandline will
> > change the access.log format to show the standard IPv4 address instead
> > of the mapped v6 address.
> good note, could have been used in the new "Disabling IPv6 on the Node" docs
> section Stoiko adds.
> Updating https://pve.proxmox.com/wiki/Fail2ban could help too, or did you
> already check if mapped notation works there too just fine with the config
> proposal from the wiki?
for fail2ban i followed the wiki steps, the configuration works also for
the v4 to v6 mapped addresses:
$ grep 'authentication failure' /var/log/daemon.log
May 5 11:17:08 pve-dev-machine pvedaemon: authentication failure;
rhost=188.8.131.52 user=root at pam msg=Authentication failure
May 5 11:19:08 pve-dev-machine pvedaemon: authentication failure;
rhost=::ffff:184.108.40.206 user=root at pam msg=Authentication failure
$ fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf
Failregex: 2 total
|- #) [# of hits] regular expression
| 1)  pvedaemon\[.*authentication failure; rhost=<HOST> user=.*
all seems to work with both (dual stack) ipv6 and v4-only setups
(disabled via kernel cmdline and/or sysctl), i will update the fail2ban
page to mention the last test was with 6.4
More information about the pve-devel