You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

118 lines
3.3KB

  1. ifdef::manvolnum[]
  2. pveproxy(8)
  3. ===========
  4. :pve-toplevel:
  5. NAME
  6. ----
  7. pveproxy - PVE API Proxy Daemon
  8. SYNOPSIS
  9. --------
  10. include::pveproxy.8-synopsis.adoc[]
  11. DESCRIPTION
  12. -----------
  13. endif::manvolnum[]
  14. ifndef::manvolnum[]
  15. pveproxy - Proxmox VE API Proxy Daemon
  16. ======================================
  17. endif::manvolnum[]
  18. This daemon exposes the whole {pve} API on TCP port 8006 using
  19. HTTPS. It runs as user `www-data` and has very limited permissions.
  20. Operation requiring more permissions are forwarded to the local
  21. `pvedaemon`.
  22. Requests targeted for other nodes are automatically forwarded to those
  23. nodes. This means that you can manage your whole cluster by connecting
  24. to a single {pve} node.
  25. Host based Access Control
  26. -------------------------
  27. It is possible to configure ``apache2''-like access control
  28. lists. Values are read from file `/etc/default/pveproxy`. For example:
  29. ----
  30. ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
  31. DENY_FROM="all"
  32. POLICY="allow"
  33. ----
  34. IP addresses can be specified using any syntax understood by `Net::IP`. The
  35. name `all` is an alias for `0/0`.
  36. The default policy is `allow`.
  37. [width="100%",options="header"]
  38. |===========================================================
  39. | Match | POLICY=deny | POLICY=allow
  40. | Match Allow only | allow | allow
  41. | Match Deny only | deny | deny
  42. | No match | deny | allow
  43. | Match Both Allow & Deny | deny | allow
  44. |===========================================================
  45. SSL Cipher Suite
  46. ----------------
  47. You can define the cipher list in `/etc/default/pveproxy`, for example
  48. CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
  49. Above is the default. See the ciphers(1) man page from the openssl
  50. package for a list of all available options.
  51. Additionally you can define that the client choses the used cipher in
  52. `/etc/default/pveproxy` (default is the first cipher in the list available to
  53. both client and `pveproxy`):
  54. HONOR_CIPHER_ORDER=0
  55. Diffie-Hellman Parameters
  56. -------------------------
  57. You can define the used Diffie-Hellman parameters in
  58. `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
  59. containing DH parameters in PEM format, for example
  60. DHPARAMS="/path/to/dhparams.pem"
  61. If this option is not set, the built-in `skip2048` parameters will be
  62. used.
  63. NOTE: DH parameters are only used if a cipher suite utilizing the DH key
  64. exchange algorithm is negotiated.
  65. Alternative HTTPS certificate
  66. -----------------------------
  67. You can change the certificate used to an external one or to one obtained via
  68. ACME.
  69. pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
  70. `/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
  71. `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
  72. The private key may not use a passphrase.
  73. See the Host System Administration chapter of the documentation for details.
  74. COMPRESSION
  75. -----------
  76. By default `pveproxy` uses gzip HTTP-level compression for compressible
  77. content, if the client supports it. This can disabled in `/etc/default/pveproxy`
  78. COMPRESSION=0
  79. ifdef::manvolnum[]
  80. include::pve-copyright.adoc[]
  81. endif::manvolnum[]