]>
Commit | Line | Data |
---|---|---|
96f2beeb DM |
1 | ifdef::manvolnum[] |
2 | PVE({manvolnum}) | |
3 | ================ | |
4 | include::attributes.txt[] | |
5 | ||
6 | NAME | |
7 | ---- | |
8 | ||
9 | pveproxy - PVE API Proxy Daemon | |
10 | ||
11 | ||
12 | SYNOPSYS | |
13 | -------- | |
14 | ||
15 | include::pveproxy.8-synopsis.adoc[] | |
16 | ||
17 | DESCRIPTION | |
18 | ----------- | |
19 | endif::manvolnum[] | |
20 | ||
21 | ifndef::manvolnum[] | |
22 | {pve} API Proxy Daemon | |
eb641429 | 23 | ====================== |
96f2beeb DM |
24 | include::attributes.txt[] |
25 | endif::manvolnum[] | |
26 | ||
27 | This daemon exposes the whole {pve} API on TCP port 8006 using | |
28 | HTTPS. It runs as user 'www-data' and has very limited permissions. | |
29 | Operation requiring more permissions are forwarded to the local | |
30 | 'pvedaemon'. | |
31 | ||
eb641429 DM |
32 | Requests targeted for other nodes are automatically forwarded to those |
33 | nodes. This means that you can manage your whole cluster by connecting | |
96f2beeb DM |
34 | to a single {pve} node. |
35 | ||
eb641429 DM |
36 | Host based Access Control |
37 | ------------------------- | |
38 | ||
39 | It is possible to configure "apache2" like access control | |
40 | lists. Values are read from file '/etc/default/pveproxy'. For example: | |
41 | ||
42 | ---- | |
43 | ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" | |
44 | DENY_FROM="all" | |
45 | POLICY="allow" | |
46 | ---- | |
47 | ||
48 | IP addresses can be specified using any syntax understood by `Net::IP`. The | |
49 | name 'all' is an alias for '0/0'. | |
50 | ||
51 | The default policy is 'allow'. | |
52 | ||
53 | [width="100%",options="header"] | |
54 | |=========================================================== | |
55 | | Match | POLICY=deny | POLICY=allow | |
56 | | Match Allow only | allow | allow | |
57 | | Match Deny only | deny | deny | |
58 | | No match | deny | allow | |
59 | | Match Both Allow & Deny | deny | allow | |
60 | |=========================================================== | |
61 | ||
62 | ||
63 | SSL Cipher Suite | |
64 | ---------------- | |
65 | ||
66 | You can define the cipher list in '/etc/default/pveproxy', for example | |
67 | ||
68 | CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" | |
69 | ||
70 | Above is the default. See the ciphers(1) man page from the openssl | |
71 | package for a list of all available options. | |
72 | ||
73 | ||
74 | Diffie-Hellman Parameters | |
75 | ------------------------- | |
76 | ||
77 | You can define the used Diffie-Hellman parameters in | |
78 | '/etc/default/pveproxy' by setting `DHPARAMS` to the path of a file | |
79 | containing DH parameters in PEM format, for example | |
80 | ||
81 | DHPARAMS="/path/to/dhparams.pem" | |
82 | ||
83 | If this option is not set, the built-in 'skip2048' parameters will be | |
84 | used. | |
85 | ||
86 | NOTE: DH parameters are only used if a cipher suite utilizing the DH key | |
87 | exchange algorithm is negotiated. | |
88 | ||
98a741e0 FG |
89 | Alternative HTTPS certificate |
90 | ----------------------------- | |
91 | ||
92 | By default, pveproxy uses the certificate '/etc/pve/local/pve-ssl.pem' | |
93 | (and private key '/etc/pve/local/pve-ssl.key') for HTTPS connections. | |
94 | This certificate is signed by the cluster CA certificate, and therefor | |
95 | not trusted by browsers and operating systems by default. | |
96 | ||
97 | In order to use a different certificate and private key for HTTPS, | |
98 | store the server certificate and any needed intermediate / CA | |
99 | certificates in PEM format in the file '/etc/pve/local/pveproxy-ssl.pem' | |
100 | and the associated private key in PEM format without a password in the | |
101 | file '/etc/pve/local/pveproxy-ssl.key'. | |
102 | ||
103 | WARNING: Do not replace the automatically generated node certificate | |
104 | files in '/etc/pve/local/pve-ssl.pem'/'etc/pve/local/pve-ssl.key' or | |
105 | the cluster CA files in '/etc/pve/pve-root-ca.pem'/'/etc/pve/priv/pve-root-ca.key'. | |
96f2beeb DM |
106 | |
107 | ifdef::manvolnum[] | |
108 | include::pve-copyright.adoc[] | |
109 | endif::manvolnum[] |