This patch fixes a regression for hosts disabling ipv6 via kernel
commandline ('ipv6.disable=1')introduced in commit
e224b7d2e6
(disabling IPv6 via sysctl did not exhibit these problems)
by hardcoding the address to '::', pveproxy and spiceproxy failed to
start with:
'unable to create socket - Address family not supported by protocol'
This patch depends on the commit in pve-common, which tries first
binding to '::' and then falling back to '0.0.0.0', and needs a
versioned dependency bump on libpve-common-perl.
With this patch the listening addresses are (`ss -tlnp |grep 8006` output)
* ipv6 disabled via kernel cmdline: '0.0.0.0:8006'
* sysctl net.ipv6.conf.all.disable_ipv6=1: '*:8006'
* sysctl net.ipv6.bindv6only=1: '[::]:8006'
* else: '*:8006'
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
The $host variable is set to "::0" by default to listen on wildcard
(with 'Domain' => PF_INET6).
If 'LISTEN_IP' is defined in /etc/default/pveproxy, that IP will be used
instead.
Signed-off-by: Oguz Bektas <o.bektas@proxmox.com>
Avoids the need to stop the current pveproxy and restart it in debug
mode, if one wants to get the debug un-minified sources for ExtJS,
for example.
For a local PVE instance the following URL would ensure you load the
debug sources:
https://localhost:8006/?debug#v1:0:18:4:25:19::8:20:28
For convenience allow to omit the parameters value, and default to
true, iow, ?debug and ?debug=1 are the same, one could force it off -
even if the server was started in debug mode - by using ?debug=0
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Wit commit a74ba607d4 we switched over
to using the dpkg-dev provided helpers to set package version,
architecture and such in the buildsystem.
But unlike other repositories we used the version also for giving it
back over the API through the during build generated PVE::pvecfg
module, which wasn't fully updated to the new style.
This patch does that, and also cleans up semantics a bit, the
following two changed:
release is now the Debian release, instead of the "package release"
(i.e., the -X part of a full package version).
version is now simply the full (pve-manager) version, e.g., 6.0-1 or
the currently for testing used 6.0-0+1
This allows to do everything we used this information for even in a
slightly easier way (no string concat needed anymore), and fits also
with the terminology we often used in our public channels (mailing
lists, forum, website)
Remove some cruft as we touch things.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
read_proxy_conf was moved to the new PVE::ApiServer::Utils so that it
can be reused by other apiservers (e.g., PMG one). Use that one, so
that we can remove it here later
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
disabling http compression is considered good practice and certain TLS-testing
scripts/sites lower the security rating if it's enabled.
compression is still on by default for the potential speed/performance gain.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
fix#2069 (the report includes rationale and also information on test-cases).
Tested by:
* running testssl.sh [0]
* enabling this setting (our default cipherlist prefers AES256,
chromium on stretch AES128)
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
The default CIPHERS allowed for a fair amount of not really considered
secure anymore connections. This updated cipher list is taken from
mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS
Signed-off-by: Rhonda D'Vine <rhonda@proxmox.com>
if we do not have a language cookie, try to read
the language from the datacenter.cfg and fall back to 'en'
also set it into the 'Proxmox' object, so that the gui can show it
in the LoginWindow
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
allows us to remove the external loading of extjs from the cloudflare
cdn in pve-docs easier with having the external hosted version in
mind.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
we will use components from proxmox-widget-toolkit rather than
directly from pve-manager
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
we do not set an Expire header for our js files, and certain browsers
do not even make the request then (on which we would answer
with a correct 304 not modified)
so to force the browser to load a new version of the gui when we change
something, we add the package version as a get parameter
when doing this, the browsers still cache the file, until the get
parameter changes, which is exactly what we want
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
instead of having font-awesome copied into the repository,
depend on the debian package 'fonts-font-awesome', which provides all we
need
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
if the files pveproxy-ssl.pem and pveproxy-ssl.key are
available for a node (i.e., in /etc/pve/<node>/), they will
be used as TLS certificate and private key for the web
interface and API of this node.
Note: the Spice and non-websocket VNC connections are still
using the self-signed certificate and key in pve-ssl.pem
and pve-ssl.key.
If set, Diffie-Hellman parameters in PEM format are loaded
from the given path. Otherwise, the built-in 'skip2048'
group is used.
Also fix some typos in the man page.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
AnyEvent uses a built-in DH group defined as 'schmorp1539'
by default, which seems to trigger the bug in [1] for every
attempt of accessing the web GUI using IE11 and TLS1.2. By
switching to a bigger default DH group ('skip2048'), the
bug seems to be gone (or trigger sufficiently rarely).
1: http://engineering.imvu.com/2015/01/27/the-case-of-the-page-cant-be-displayed-intermittent-selenium-test/
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
As we, for now, default to exclude ext5 from our build it's better
to make an check if its directory exists, and only then allow to
load from it. Else we can get errors on proxy startup, and when
someone passes the ext5 parameter.
Also make a indent/whitespace cleanup.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
