The branch, master has been updated via b040825b Improve the haproxy header docs. via 3c793ef1 Use /dev/shm instead of requiring /dev/shm/tmp. from cff0764b Add `haproxy header` parameter to rsync daemon
https://git.samba.org/?p=rsync.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit b040825b86175aa06173832acef4b46d68630b64 Author: Wayne Davison <wa...@opencoder.net> Date: Thu Jun 11 15:16:17 2020 -0700 Improve the haproxy header docs. commit 3c793ef15373ad37f3c47d296cc770df70be2abc Author: Wayne Davison <wa...@opencoder.net> Date: Thu Jun 11 14:33:25 2020 -0700 Use /dev/shm instead of requiring /dev/shm/tmp. ----------------------------------------------------------------------- Summary of changes: .github/workflows/ccpp.yml | 2 -- rsyncd.conf.5.md | 28 +++++++++++++++++----------- testsuite/chmod-temp-dir.test | 2 +- 3 files changed, 18 insertions(+), 14 deletions(-) Changeset truncated at 500 lines: diff --git a/.github/workflows/ccpp.yml b/.github/workflows/ccpp.yml index 6108b889..0ffbde06 100644 --- a/.github/workflows/ccpp.yml +++ b/.github/workflows/ccpp.yml @@ -15,8 +15,6 @@ jobs: - uses: actions/checkout@v2 - name: prepare-packages run: sudo apt-get install fakeroot acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm - - name: add other-filesystem tmp dir - run: mkdir -m 1777 /run/shm/tmp - name: prepare-source run: ./prepare-source - name: configure diff --git a/rsyncd.conf.5.md b/rsyncd.conf.5.md index f1e335c1..2952e73e 100644 --- a/rsyncd.conf.5.md +++ b/rsyncd.conf.5.md @@ -236,17 +236,23 @@ the values of parameters. See the GLOBAL PARAMETERS section for more details. 0. `haproxy header` - This parameter indicates that all incoming connections must start with a V1 - or V2 haproxy header. If the header is not found, the connection is closed. - - Setting this allows a proxy server to forward the source IP information to - rsync, allowing you to make use of IP restrictions that don't all match the - source IP of the proxy server. - - _CAUTION_: when using this option you _must_ make sure that only the proxy - is allowed to connect to the rsync port via some kind of firewall rules - (such as iptables). If any non-proxied connections are allowed through, - the client will be able to spoof any remote IP address that they desire. + When this parameter is enabled, all incoming connections must start with a + V1 or V2 haproxy header. If the header is not found, the connection is + closed. + + Setting this to `true` requires a proxy server to forward source IP + information to rsync, allowing you to log proper IP/host info and make use + of client-oriented IP restrictions. The default of `false` means that the + IP information comes directly from the socket's metadata. If rsync is not + behind a proxy, this should be disabled. + + _CAUTION_: using this option can be dangerous if you do not ensure that + only the proxy is allowed to connect to the rsync port. If any non-proxied + connections are allowed through, the client will be able to use a modified + rsync to spoof any remote IP address that they desire. You can lock this + down using something like iptables `-uid-owner root` rules (for strict + localhost access), various firewall rules, or you can require password + authorization so that any spoofing by users will not grant extra access. This setting is global. If you need some modules to require this and not others, then you will need to setup multiple rsync daemon processes on diff --git a/testsuite/chmod-temp-dir.test b/testsuite/chmod-temp-dir.test index 085ab008..b9a294ac 100644 --- a/testsuite/chmod-temp-dir.test +++ b/testsuite/chmod-temp-dir.test @@ -16,7 +16,7 @@ hands_setup sdev=`$TOOLDIR/getfsdev $scratchdir` tdev=$sdev -for tmpdir2 in "${RSYNC_TEST_TMP:-/override-tmp-not-specified}" /run/shm/tmp /var/tmp /tmp; do +for tmpdir2 in "${RSYNC_TEST_TMP:-/override-tmp-not-specified}" /run/shm /var/tmp /tmp; do [ -d "$tmpdir2" -a -w "$tmpdir2" ] || continue tdev=`$TOOLDIR/getfsdev "$tmpdir2"` [ x$sdev != x$tdev ] && break -- The rsync repository. _______________________________________________ rsync-cvs mailing list rsync-cvs@lists.samba.org https://lists.samba.org/mailman/listinfo/rsync-cvs