]>
Commit | Line | Data |
---|---|---|
96f2beeb | 1 | ifdef::manvolnum[] |
f1587b9e DM |
2 | pveproxy(8) |
3 | =========== | |
5377af6a | 4 | :pve-toplevel: |
96f2beeb DM |
5 | |
6 | NAME | |
7 | ---- | |
8 | ||
9 | pveproxy - PVE API Proxy Daemon | |
10 | ||
11 | ||
49a5e11c | 12 | SYNOPSIS |
96f2beeb DM |
13 | -------- |
14 | ||
15 | include::pveproxy.8-synopsis.adoc[] | |
16 | ||
17 | DESCRIPTION | |
18 | ----------- | |
19 | endif::manvolnum[] | |
20 | ||
21 | ifndef::manvolnum[] | |
e8b392d3 FG |
22 | pveproxy - Proxmox VE API Proxy Daemon |
23 | ====================================== | |
96f2beeb DM |
24 | endif::manvolnum[] |
25 | ||
26 | This daemon exposes the whole {pve} API on TCP port 8006 using | |
8c1189b6 | 27 | HTTPS. It runs as user `www-data` and has very limited permissions. |
96f2beeb | 28 | Operation requiring more permissions are forwarded to the local |
8c1189b6 | 29 | `pvedaemon`. |
96f2beeb | 30 | |
eb641429 DM |
31 | Requests targeted for other nodes are automatically forwarded to those |
32 | nodes. This means that you can manage your whole cluster by connecting | |
96f2beeb DM |
33 | to a single {pve} node. |
34 | ||
eb641429 DM |
35 | Host based Access Control |
36 | ------------------------- | |
37 | ||
8c1189b6 FG |
38 | It is possible to configure ``apache2''-like access control |
39 | lists. Values are read from file `/etc/default/pveproxy`. For example: | |
eb641429 DM |
40 | |
41 | ---- | |
42 | ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" | |
43 | DENY_FROM="all" | |
44 | POLICY="allow" | |
45 | ---- | |
46 | ||
47 | IP addresses can be specified using any syntax understood by `Net::IP`. The | |
8c1189b6 | 48 | name `all` is an alias for `0/0`. |
eb641429 | 49 | |
8c1189b6 | 50 | The default policy is `allow`. |
eb641429 DM |
51 | |
52 | [width="100%",options="header"] | |
53 | |=========================================================== | |
54 | | Match | POLICY=deny | POLICY=allow | |
55 | | Match Allow only | allow | allow | |
56 | | Match Deny only | deny | deny | |
57 | | No match | deny | allow | |
58 | | Match Both Allow & Deny | deny | allow | |
59 | |=========================================================== | |
60 | ||
61 | ||
62 | SSL Cipher Suite | |
63 | ---------------- | |
64 | ||
8c1189b6 | 65 | You can define the cipher list in `/etc/default/pveproxy`, for example |
eb641429 DM |
66 | |
67 | CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" | |
68 | ||
69 | Above is the default. See the ciphers(1) man page from the openssl | |
70 | package for a list of all available options. | |
71 | ||
72 | ||
73 | Diffie-Hellman Parameters | |
74 | ------------------------- | |
75 | ||
76 | You can define the used Diffie-Hellman parameters in | |
8c1189b6 | 77 | `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file |
eb641429 DM |
78 | containing DH parameters in PEM format, for example |
79 | ||
80 | DHPARAMS="/path/to/dhparams.pem" | |
81 | ||
8c1189b6 | 82 | If this option is not set, the built-in `skip2048` parameters will be |
eb641429 DM |
83 | used. |
84 | ||
85 | NOTE: DH parameters are only used if a cipher suite utilizing the DH key | |
86 | exchange algorithm is negotiated. | |
87 | ||
98a741e0 FG |
88 | Alternative HTTPS certificate |
89 | ----------------------------- | |
90 | ||
8c1189b6 FG |
91 | By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem` |
92 | (and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections. | |
98a741e0 FG |
93 | This certificate is signed by the cluster CA certificate, and therefor |
94 | not trusted by browsers and operating systems by default. | |
95 | ||
96 | In order to use a different certificate and private key for HTTPS, | |
97 | store the server certificate and any needed intermediate / CA | |
8c1189b6 | 98 | certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem` |
98a741e0 | 99 | and the associated private key in PEM format without a password in the |
8c1189b6 | 100 | file `/etc/pve/local/pveproxy-ssl.key`. |
98a741e0 FG |
101 | |
102 | WARNING: Do not replace the automatically generated node certificate | |
8c1189b6 FG |
103 | files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or |
104 | the cluster CA files in `/etc/pve/pve-root-ca.pem` and | |
105 | `/etc/pve/priv/pve-root-ca.key`. | |
96f2beeb | 106 | |
9b75a03a FG |
107 | NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates |
108 | on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki], | |
109 | including setup instructions for obtaining certificates from the popular free | |
110 | Let's Encrypt certificate authority. | |
111 | ||
96f2beeb DM |
112 | ifdef::manvolnum[] |
113 | include::pve-copyright.adoc[] | |
114 | endif::manvolnum[] |