[pve-devel] [PATCH http-server v2 2/3] fix #5699: pveproxy: add library methods for real IP support
Thomas Skinner
thomas at atskinner.net
Thu Dec 12 04:27:05 CET 2024
Signed-off-by: Thomas Skinner <thomas at atskinner.net>
---
src/PVE/APIServer/AnyEvent.pm | 38 ++++++++++++++++++++++++++++++++++-
src/PVE/APIServer/Utils.pm | 15 ++++++++++++++
2 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 24209a1..5f15a13 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -92,13 +92,14 @@ sub log_request {
$loginfo->{written} = 1;
my $peerip = $reqstate->{peer_host} || '-';
+ my $realip = $loginfo->{real_ip} || $peerip;
my $userid = $loginfo->{userid} || '-';
my $content_length = defined($loginfo->{content_length}) ? $loginfo->{content_length} : '-';
my $code = $loginfo->{code} || 500;
my $requestline = $loginfo->{requestline} || '-';
my $timestr = strftime("%d/%m/%Y:%H:%M:%S %z", localtime());
- my $msg = "$peerip - $userid [$timestr] \"$requestline\" $code $content_length\n";
+ my $msg = "$realip - $userid [$timestr] \"$requestline\" $code $content_length\n";
$self->write_log($msg);
}
@@ -1474,6 +1475,18 @@ sub authenticate_and_handle_request {
my $auth = {};
+ if (my $proxy_real_ip_header = $self->{proxy_real_ip_header}) {
+ if (my $proxy_real_ip_value = $request->header($proxy_real_ip_header)) {
+ my $real_ip = Net::IP->new($proxy_real_ip_value);
+ if (defined($real_ip) && $self->check_allowed_proxy($reqstate->{peer_host})) {
+ $reqstate->{log}->{real_ip} = Net::IP::ip_compress_address(
+ $real_ip->ip(),
+ $real_ip->version(),
+ );
+ }
+ }
+ }
+
if ($self->{spiceproxy}) {
my $connect_str = $request->header('Host');
my ($vmid, $node, $port) = $self->verify_spice_connect_url($connect_str);
@@ -1813,6 +1826,29 @@ sub check_host_access {
return $match_allow;
}
+sub check_allowed_proxy {
+ my ($self, $client_ip) = @_;
+
+ $client_ip = PVE::APIServer::Utils::normalize_v4_in_v6($client_ip);
+ my $client_ip_object = Net::IP->new($client_ip);
+
+ if (!$client_ip_object) {
+ $self->dprint("client IP not parsable: $@");
+ return 0;
+ }
+
+ if (my $proxy_real_ip_allow_from = $self->{proxy_real_ip_allow_from}) {
+ for my $allowed_net ($proxy_real_ip_allow_from->@*) {
+ if ($allowed_net->overlaps($client_ip_object)) {
+ $self->dprint("client IP in allowed proxies: ". $allowed_net->print());
+ return 1;
+ }
+ }
+ return 0;
+ }
+ return 1;
+}
+
sub accept_connections {
my ($self) = @_;
diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm
index 5728d97..75f72a1 100644
--- a/src/PVE/APIServer/Utils.pm
+++ b/src/PVE/APIServer/Utils.pm
@@ -26,6 +26,8 @@ sub read_proxy_config {
$shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
$shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";';
$shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";';
+ $shcmd .= 'echo \"PROXY_REAL_IP_HEADER:\$PROXY_REAL_IP_HEADER\";';
+ $shcmd .= 'echo \"PROXY_REAL_IP_ALLOW_FROM:\$PROXY_REAL_IP_ALLOW_FROM\";';
my $data = -f $conffile ? `bash -c "$shcmd"` : '';
@@ -65,6 +67,19 @@ sub read_proxy_config {
$res->{$key} = $value;
} elsif ($key eq 'TLS_KEY_FILE') {
$res->{$key} = $value;
+ } elsif ($key eq 'PROXY_REAL_IP_HEADER') {
+ $res->{$key} = $value;
+ } elsif ($key eq 'PROXY_REAL_IP_ALLOW_FROM') {
+ my $ips = [];
+ for my $ip (split(/,/, $value)) {
+ if ($ip eq 'all') {
+ push @$ips, Net::IP->new('0/0') || die Net::IP::Error() . "\n";
+ push @$ips, Net::IP->new('::/0') || die Net::IP::Error() . "\n";
+ next;
+ }
+ push @$ips, Net::IP->new(normalize_v4_in_v6($ip)) || die Net::IP::Error() . "\n";
+ }
+ $res->{$key} = $ips;
} elsif (grep { $key eq $_ } @$boolean_options) {
die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/;
$res->{$key} = $value;
--
2.39.5
More information about the pve-devel
mailing list