proxmox-backup/src/bin/proxmox-backup-proxy.rs

use std::sync::Arc;

use failure::*;
use futures::*;
use hyper;
use openssl::ssl::{SslMethod, SslAcceptor, SslFiletype};

use proxmox::tools::try_block;
use proxmox::api::RpcEnvironmentType;

use proxmox_backup::configdir;
use proxmox_backup::buildcfg;
use proxmox_backup::server;
use proxmox_backup::tools::daemon;
use proxmox_backup::server::{ApiConfig, rest::*};
use proxmox_backup::auth_helpers::*;

#[tokio::main]
async fn main() {
    if let Err(err) = run().await {
        eprintln!("Error: {}", err);
        std::process::exit(-1);
    }
}

async fn run() -> Result<(), Error> {
    if let Err(err) = syslog::init(
        syslog::Facility::LOG_DAEMON,
        log::LevelFilter::Info,
        Some("proxmox-backup-proxy")) {
        bail!("unable to inititialize syslog - {}", err);
    }

    let _ = public_auth_key(); // load with lazy_static
    let _ = csrf_secret(); // load with lazy_static

    let mut config = ApiConfig::new(
        buildcfg::JS_DIR, &proxmox_backup::api2::ROUTER, RpcEnvironmentType::PUBLIC);

    // add default dirs which includes jquery and bootstrap
    // my $base = '/usr/share/libpve-http-server-perl';
    // add_dirs($self->{dirs}, '/css/' => "$base/css/");
    // add_dirs($self->{dirs}, '/js/' => "$base/js/");
    // add_dirs($self->{dirs}, '/fonts/' => "$base/fonts/");
    config.add_alias("novnc", "/usr/share/novnc-pve");
    config.add_alias("extjs", "/usr/share/javascript/extjs");
    config.add_alias("fontawesome", "/usr/share/fonts-font-awesome");
    config.add_alias("xtermjs", "/usr/share/pve-xtermjs");
    config.add_alias("widgettoolkit", "/usr/share/javascript/proxmox-widget-toolkit");

    let rest_server = RestServer::new(config);

    //openssl req -x509 -newkey rsa:4096 -keyout /etc/proxmox-backup/proxy.key -out /etc/proxmox-backup/proxy.pem -nodes
    let key_path = configdir!("/proxy.key");
    let cert_path = configdir!("/proxy.pem");

    let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();
    acceptor.set_private_key_file(key_path, SslFiletype::PEM)
        .map_err(|err| format_err!("unable to read proxy key {} - {}", key_path, err))?;
    acceptor.set_certificate_chain_file(cert_path)
        .map_err(|err| format_err!("unable to read proxy cert {} - {}", cert_path, err))?;
    acceptor.check_private_key().unwrap();

    let acceptor = Arc::new(acceptor.build());

    let server = daemon::create_daemon(
        ([0,0,0,0,0,0,0,0], 8007).into(),
        |listener, ready| {
            let connections = proxmox_backup::tools::async_io::StaticIncoming::from(listener)
                .map_err(Error::from)
                .try_filter_map(move |(sock, _addr)| {
                    let acceptor = Arc::clone(&acceptor);
                    async move {
                        sock.set_nodelay(true).unwrap();
                        sock.set_send_buffer_size(1024*1024).unwrap();
                        sock.set_recv_buffer_size(1024*1024).unwrap();
                        Ok(tokio_openssl::accept(&acceptor, sock)
                            .await
                            .ok() // handshake errors aren't be fatal, so return None to filter
                        )
                    }
                });
            let connections = proxmox_backup::tools::async_io::HyperAccept(connections);

            Ok(ready
                .and_then(|_| hyper::Server::builder(connections)
                    .serve(rest_server)
                    .with_graceful_shutdown(server::shutdown_future())
                    .map_err(Error::from)
                )
                .map_err(|err| eprintln!("server error: {}", err))
                .map(|_| ())
            )
        },
    );

    daemon::systemd_notify(daemon::SystemdNotify::Ready)?;

    let init_result: Result<(), Error> = try_block!({
        server::create_task_control_socket()?;
        server::server_state_init()?;
        Ok(())
    });

    if let Err(err) = init_result {
        bail!("unable to start daemon - {}", err);
    }

    server.await?;
    log::info!("done - exit server");

    Ok(())
}
api/compat: drop more compat imports from api_schema.rs Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-11-21 13:36:28 +00:00			`use std::sync::Arc;`

			`use failure::*;`
			`use futures::*;`
			`use hyper;`
			`use openssl::ssl::{SslMethod, SslAcceptor, SslFiletype};`

			`use proxmox::tools::try_block;`
			`use proxmox::api::RpcEnvironmentType;`

add reload support to proxy Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-03-11 08:38:35 +00:00			`use proxmox_backup::configdir;`
avoid injecting ENV vars from Makefile So that we can run "cargo build" without setting vars manually. 2019-09-09 08:51:08 +00:00			`use proxmox_backup::buildcfg;`
src/tools/daemon.rs: use new ServerState handler 2019-04-08 12:00:23 +00:00			`use proxmox_backup::server;`
daemon: simplify daemon creation Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-03-18 13:13:44 +00:00			`use proxmox_backup::tools::daemon;`
move src/api_schema/config.rs -> src/server/config.rs 2019-11-22 08:23:03 +00:00			`use proxmox_backup::server::{ApiConfig, rest::*};`
load auth keys on startup 2019-01-29 16:21:58 +00:00			`use proxmox_backup::auth_helpers::*;`
src/bin/proxmox-backup-proxy.rs: implement unpriviledged server We want to run the public server as user www-data. Requests needing root priviledges needs to be proxied to the proxmox-backup.service, which now listens to 127.0.0.1:82. 2019-01-28 12:17:03 +00:00
src/bin/proxmox-backup-proxy.rs: switch to async Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-08-29 07:45:34 +00:00			`#[tokio::main]`
			`async fn main() {`
			`if let Err(err) = run().await {`
bin/proxmox-backup-proxy.rs: improve error handling 2019-02-11 13:43:26 +00:00			`eprintln!("Error: {}", err);`
			`std::process::exit(-1);`
			`}`
			`}`

src/bin/proxmox-backup-proxy.rs: switch to async Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-08-29 07:45:34 +00:00			`async fn run() -> Result<(), Error> {`
src/bin/proxmox-backup-proxy.rs: implement unpriviledged server We want to run the public server as user www-data. Requests needing root priviledges needs to be proxied to the proxmox-backup.service, which now listens to 127.0.0.1:82. 2019-01-28 12:17:03 +00:00			`if let Err(err) = syslog::init(`
			`syslog::Facility::LOG_DAEMON,`
			`log::LevelFilter::Info,`
			`Some("proxmox-backup-proxy")) {`
bin/proxmox-backup-proxy.rs: improve error handling 2019-02-11 13:43:26 +00:00			`bail!("unable to inititialize syslog - {}", err);`
src/bin/proxmox-backup-proxy.rs: implement unpriviledged server We want to run the public server as user www-data. Requests needing root priviledges needs to be proxied to the proxmox-backup.service, which now listens to 127.0.0.1:82. 2019-01-28 12:17:03 +00:00			`}`

load auth keys on startup 2019-01-29 16:21:58 +00:00			`let _ = public_auth_key(); // load with lazy_static`
			`let _ = csrf_secret(); // load with lazy_static`

src/bin/proxmox-backup-proxy.rs: implement unpriviledged server We want to run the public server as user www-data. Requests needing root priviledges needs to be proxied to the proxmox-backup.service, which now listens to 127.0.0.1:82. 2019-01-28 12:17:03 +00:00			`let mut config = ApiConfig::new(`
use const api definitions 2019-11-21 08:36:41 +00:00			`buildcfg::JS_DIR, &proxmox_backup::api2::ROUTER, RpcEnvironmentType::PUBLIC);`
src/bin/proxmox-backup-proxy.rs: implement unpriviledged server We want to run the public server as user www-data. Requests needing root priviledges needs to be proxied to the proxmox-backup.service, which now listens to 127.0.0.1:82. 2019-01-28 12:17:03 +00:00
			`// add default dirs which includes jquery and bootstrap`
			`// my $base = '/usr/share/libpve-http-server-perl';`
			`// add_dirs($self->{dirs}, '/css/' => "$base/css/");`
			`// add_dirs($self->{dirs}, '/js/' => "$base/js/");`
			`// add_dirs($self->{dirs}, '/fonts/' => "$base/fonts/");`
			`config.add_alias("novnc", "/usr/share/novnc-pve");`
			`config.add_alias("extjs", "/usr/share/javascript/extjs");`
			`config.add_alias("fontawesome", "/usr/share/fonts-font-awesome");`
			`config.add_alias("xtermjs", "/usr/share/pve-xtermjs");`
			`config.add_alias("widgettoolkit", "/usr/share/javascript/proxmox-widget-toolkit");`

			`let rest_server = RestServer::new(config);`

use hyper/tokio-openssl instead of hyper/tokio-tls This exposes the complete SSL setup. And download is much faster now (600MB/s instead of 130MB/s)! 2019-07-02 11:33:58 +00:00			`//openssl req -x509 -newkey rsa:4096 -keyout /etc/proxmox-backup/proxy.key -out /etc/proxmox-backup/proxy.pem -nodes`
			`let key_path = configdir!("/proxy.key");`
			`let cert_path = configdir!("/proxy.pem");`

			`let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls()).unwrap();`
			`acceptor.set_private_key_file(key_path, SslFiletype::PEM)`
			`.map_err(\|err\| format_err!("unable to read proxy key {} - {}", key_path, err))?;`
			`acceptor.set_certificate_chain_file(cert_path)`
			`.map_err(\|err\| format_err!("unable to read proxy cert {} - {}", cert_path, err))?;`
			`acceptor.check_private_key().unwrap();`

			`let acceptor = Arc::new(acceptor.build());`
proxy: use TLS via tokio-tls Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-02-04 13:56:07 +00:00
daemon: simplify daemon creation Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-03-18 13:13:44 +00:00			`let server = daemon::create_daemon(`
			`([0,0,0,0,0,0,0,0], 8007).into(),`
update to tokio 0.2.0-alpha.4 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-09-02 13:16:21 +00:00			`\|listener, ready\| {`
update a chunk of stuff to the hyper release Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-12-12 14:27:07 +00:00			`let connections = proxmox_backup::tools::async_io::StaticIncoming::from(listener)`
daemon: simplify daemon creation Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-03-18 13:13:44 +00:00			`.map_err(Error::from)`
update a chunk of stuff to the hyper release Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-12-12 14:27:07 +00:00			`.try_filter_map(move \|(sock, _addr)\| {`
src/bin/proxmox-backup-proxy.rs: switch to async Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-08-29 07:45:34 +00:00			`let acceptor = Arc::clone(&acceptor);`
			`async move {`
			`sock.set_nodelay(true).unwrap();`
			`sock.set_send_buffer_size(1024*1024).unwrap();`
			`sock.set_recv_buffer_size(1024*1024).unwrap();`
			`Ok(tokio_openssl::accept(&acceptor, sock)`
			`.await`
			`.ok() // handshake errors aren't be fatal, so return None to filter`
			`)`
daemon: simplify daemon creation Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-03-18 13:13:44 +00:00			`}`
			`});`
update a chunk of stuff to the hyper release Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-12-12 14:27:07 +00:00			`let connections = proxmox_backup::tools::async_io::HyperAccept(connections);`
update to tokio 0.2.0-alpha.4 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-09-02 13:16:21 +00:00
			`Ok(ready`
			`.and_then(\|_\| hyper::Server::builder(connections)`
			`.serve(rest_server)`
			`.with_graceful_shutdown(server::shutdown_future())`
			`.map_err(Error::from)`
			`)`
			`.map_err(\|err\| eprintln!("server error: {}", err))`
			`.map(\|_\| ())`
daemon: simplify daemon creation Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-03-18 13:13:44 +00:00			`)`
add reload support to proxy Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-03-11 08:38:35 +00:00			`},`
update to tokio 0.2.0-alpha.4 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-09-02 13:16:21 +00:00			`);`
add reload support to proxy Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-03-11 08:38:35 +00:00
use service Type=notify Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-04-25 08:38:26 +00:00			`daemon::systemd_notify(daemon::SystemdNotify::Ready)?;`

src/bin/proxmox-backup-proxy.rs: switch to async Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-08-29 07:45:34 +00:00			`let init_result: Result<(), Error> = try_block!({`
			`server::create_task_control_socket()?;`
			`server::server_state_init()?;`
			`Ok(())`
			`});`
src/server/worker_task.rs: implement task control socket 2019-04-09 10:15:06 +00:00
src/bin/proxmox-backup-proxy.rs: switch to async Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-08-29 07:45:34 +00:00			`if let Err(err) = init_result {`
			`bail!("unable to start daemon - {}", err);`
			`}`
src/tools/daemon.rs: use new ServerState handler 2019-04-08 12:00:23 +00:00
update to tokio 0.2.0-alpha.4 Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-09-02 13:16:21 +00:00			`server.await?;`
src/bin/proxmox-backup-proxy.rs: switch to async Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com> 2019-08-29 07:45:34 +00:00			`log::info!("done - exit server");`
src/tools/daemon.rs: use new ServerState handler 2019-04-08 12:00:23 +00:00
bin/proxmox-backup-proxy.rs: improve error handling 2019-02-11 13:43:26 +00:00			`Ok(())`
src/bin/proxmox-backup-proxy.rs: implement unpriviledged server We want to run the public server as user www-data. Requests needing root priviledges needs to be proxied to the proxmox-backup.service, which now listens to 127.0.0.1:82. 2019-01-28 12:17:03 +00:00			`}`