[pve-docs.git] / pveproxy.adoc

ifdef::manvolnum[]
pveproxy(8)
===========
:pve-toplevel:

NAME
----

pveproxy - PVE API Proxy Daemon


SYNOPSIS
--------

include::pveproxy.8-synopsis.adoc[]

DESCRIPTION
-----------
endif::manvolnum[]

ifndef::manvolnum[]
pveproxy - Proxmox VE API Proxy Daemon
======================================
endif::manvolnum[]

This daemon exposes the whole {pve} API on TCP port 8006 using
HTTPS. It runs as user `www-data` and has very limited permissions.
Operation requiring more permissions are forwarded to the local
`pvedaemon`.

Requests targeted for other nodes are automatically forwarded to those
nodes. This means that you can manage your whole cluster by connecting
to a single {pve} node.

Host based Access Control
-------------------------

It is possible to configure ``apache2''-like access control
lists. Values are read from file `/etc/default/pveproxy`. For example:

----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
----

IP addresses can be specified using any syntax understood by `Net::IP`. The
name `all` is an alias for `0/0`.

The default policy is `allow`.

[width="100%",options="header"]
|===========================================================
| Match                      | POLICY=deny | POLICY=allow
| Match Allow only           | allow       | allow
| Match Deny only            | deny        | deny
| No match                   | deny        | allow
| Match Both Allow & Deny    | deny        | allow
|===========================================================


Listening IP
------------

By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP
address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to
be configured on the system.

This can be used to listen only to an internal interface and thus have less
exposure to the public internet:

----
LISTEN_IP="192.0.2.1"
----

Similarly, you can also set an IPv6 address:

----
LISTEN_IP="2001:db8:85a3::1"
----

Note that if you want to specify a link-local IPv6 address, you need to provide
the interface name itself. For example:

----
LISTEN_IP="fe80::c463:8cff:feb9:6a4e%vmbr0"
----

WARNING: The nodes in a cluster need access to `pveproxy` for communication,
possibly on different sub-nets. It is **not recommended** to set `LISTEN_IP` on
clustered systems.

SSL Cipher Suite
----------------

You can define the cipher list in `/etc/default/pveproxy`, for example

 CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.

Additionally you can define that the client choses the used cipher in
`/etc/default/pveproxy` (default is the first cipher in the list available to
both client and `pveproxy`):

 HONOR_CIPHER_ORDER=0


Diffie-Hellman Parameters
-------------------------

You can define the used Diffie-Hellman parameters in
`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
containing DH parameters in PEM format, for example

 DHPARAMS="/path/to/dhparams.pem"

If this option is not set, the built-in `skip2048` parameters will be
used.

NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.

Alternative HTTPS certificate
-----------------------------

You can change the certificate used to an external one or to one obtained via
ACME.

pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
The private key may not use a passphrase.

See the Host System Administration chapter of the documentation for details.

COMPRESSION
-----------

By default `pveproxy` uses gzip HTTP-level compression for compressible
content, if the client supports it. This can disabled in `/etc/default/pveproxy`

 COMPRESSION=0

ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
Commit	Line	Data
96f2beeb	1	ifdef::manvolnum[]
f1587b9e DM	2	pveproxy(8)
f1587b9e DM	3	===========
5377af6a	4	:pve-toplevel:
96f2beeb DM	5
	6	NAME
	7	----
	8
	9	pveproxy - PVE API Proxy Daemon
	10
	11
49a5e11c	12	SYNOPSIS
96f2beeb DM	13	--------
	14
	15	include::pveproxy.8-synopsis.adoc[]
	16
	17	DESCRIPTION
	18	-----------
	19	endif::manvolnum[]
	20
	21	ifndef::manvolnum[]
e8b392d3 FG	22	pveproxy - Proxmox VE API Proxy Daemon
e8b392d3 FG	23	======================================
96f2beeb DM	24	endif::manvolnum[]
	25
	26	This daemon exposes the whole {pve} API on TCP port 8006 using
8c1189b6	27	HTTPS. It runs as user `www-data` and has very limited permissions.
96f2beeb	28	Operation requiring more permissions are forwarded to the local
8c1189b6	29	`pvedaemon`.
96f2beeb	30
eb641429 DM	31	Requests targeted for other nodes are automatically forwarded to those
eb641429 DM	32	nodes. This means that you can manage your whole cluster by connecting
96f2beeb DM	33	to a single {pve} node.
96f2beeb DM	34
eb641429 DM	35	Host based Access Control
	36	-------------------------
	37
8c1189b6 FG	38	It is possible to configure ``apache2''-like access control
8c1189b6 FG	39	lists. Values are read from file `/etc/default/pveproxy`. For example:
eb641429 DM	40
	41	----
	42	ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
	43	DENY_FROM="all"
	44	POLICY="allow"
	45	----
	46
	47	IP addresses can be specified using any syntax understood by `Net::IP`. The
8c1189b6	48	name `all` is an alias for `0/0`.
eb641429	49
8c1189b6	50	The default policy is `allow`.
eb641429 DM	51
	52	[width="100%",options="header"]
	53	\|===========================================================
	54	\| Match \| POLICY=deny \| POLICY=allow
	55	\| Match Allow only \| allow \| allow
	56	\| Match Deny only \| deny \| deny
	57	\| No match \| deny \| allow
	58	\| Match Both Allow & Deny \| deny \| allow
	59	\|===========================================================
	60
	61
fa25e615 SI	62	Listening IP
	63	------------
	64
	65	By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP
a22c19c3 TL	66	address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to
a22c19c3 TL	67	be configured on the system.
fa25e615 SI	68
	69	This can be used to listen only to an internal interface and thus have less
	70	exposure to the public internet:
	71
a3b4a546 TL	72	----
	73	LISTEN_IP="192.0.2.1"
	74	----
fa25e615	75
a3b4a546	76	Similarly, you can also set an IPv6 address:
fa25e615	77
a3b4a546 TL	78	----
	79	LISTEN_IP="2001:db8:85a3::1"
	80	----
8fd3f59f TL	81
	82	Note that if you want to specify a link-local IPv6 address, you need to provide
	83	the interface name itself. For example:
	84
	85	----
	86	LISTEN_IP="fe80::c463:8cff:feb9:6a4e%vmbr0"
	87	----
fa25e615	88
a22c19c3 TL	89	WARNING: The nodes in a cluster need access to `pveproxy` for communication,
	90	possibly on different sub-nets. It is not recommended to set `LISTEN_IP` on
	91	clustered systems.
fa25e615	92
eb641429 DM	93	SSL Cipher Suite
	94	----------------
	95
8c1189b6	96	You can define the cipher list in `/etc/default/pveproxy`, for example
eb641429	97
ee0fb57b	98	CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
eb641429 DM	99
	100	Above is the default. See the ciphers(1) man page from the openssl
	101	package for a list of all available options.
	102
54de4e32 SI	103	Additionally you can define that the client choses the used cipher in
	104	`/etc/default/pveproxy` (default is the first cipher in the list available to
	105	both client and `pveproxy`):
	106
	107	HONOR_CIPHER_ORDER=0
	108
eb641429 DM	109
	110	Diffie-Hellman Parameters
	111	-------------------------
	112
	113	You can define the used Diffie-Hellman parameters in
8c1189b6	114	`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
eb641429 DM	115	containing DH parameters in PEM format, for example
	116
	117	DHPARAMS="/path/to/dhparams.pem"
	118
8c1189b6	119	If this option is not set, the built-in `skip2048` parameters will be
eb641429 DM	120	used.
	121
	122	NOTE: DH parameters are only used if a cipher suite utilizing the DH key
	123	exchange algorithm is negotiated.
	124
98a741e0 FG	125	Alternative HTTPS certificate
	126	-----------------------------
	127
0e9c6c13	128	You can change the certificate used to an external one or to one obtained via
aeecd9ea SI	129	ACME.
	130
	131	pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
	132	`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
	133	`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
	134	The private key may not use a passphrase.
	135
	136	See the Host System Administration chapter of the documentation for details.
9b75a03a	137
54de4e32 SI	138	COMPRESSION
	139	-----------
	140
	141	By default `pveproxy` uses gzip HTTP-level compression for compressible
	142	content, if the client supports it. This can disabled in `/etc/default/pveproxy`
	143
	144	COMPRESSION=0
	145
96f2beeb DM	146	ifdef::manvolnum[]
	147	include::pve-copyright.adoc[]
	148	endif::manvolnum[]