]>
Commit | Line | Data |
---|---|---|
1 | ifdef::manvolnum[] | |
2 | pveproxy(8) | |
3 | =========== | |
4 | include::attributes.txt[] | |
5 | :pve-toplevel: | |
6 | ||
7 | NAME | |
8 | ---- | |
9 | ||
10 | pveproxy - PVE API Proxy Daemon | |
11 | ||
12 | ||
13 | SYNOPSIS | |
14 | -------- | |
15 | ||
16 | include::pveproxy.8-synopsis.adoc[] | |
17 | ||
18 | DESCRIPTION | |
19 | ----------- | |
20 | endif::manvolnum[] | |
21 | ||
22 | ifndef::manvolnum[] | |
23 | pveproxy - Proxmox VE API Proxy Daemon | |
24 | ====================================== | |
25 | include::attributes.txt[] | |
26 | endif::manvolnum[] | |
27 | ||
28 | This daemon exposes the whole {pve} API on TCP port 8006 using | |
29 | HTTPS. It runs as user `www-data` and has very limited permissions. | |
30 | Operation requiring more permissions are forwarded to the local | |
31 | `pvedaemon`. | |
32 | ||
33 | Requests targeted for other nodes are automatically forwarded to those | |
34 | nodes. This means that you can manage your whole cluster by connecting | |
35 | to a single {pve} node. | |
36 | ||
37 | Host based Access Control | |
38 | ------------------------- | |
39 | ||
40 | It is possible to configure ``apache2''-like access control | |
41 | lists. Values are read from file `/etc/default/pveproxy`. For example: | |
42 | ||
43 | ---- | |
44 | ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" | |
45 | DENY_FROM="all" | |
46 | POLICY="allow" | |
47 | ---- | |
48 | ||
49 | IP addresses can be specified using any syntax understood by `Net::IP`. The | |
50 | name `all` is an alias for `0/0`. | |
51 | ||
52 | The default policy is `allow`. | |
53 | ||
54 | [width="100%",options="header"] | |
55 | |=========================================================== | |
56 | | Match | POLICY=deny | POLICY=allow | |
57 | | Match Allow only | allow | allow | |
58 | | Match Deny only | deny | deny | |
59 | | No match | deny | allow | |
60 | | Match Both Allow & Deny | deny | allow | |
61 | |=========================================================== | |
62 | ||
63 | ||
64 | SSL Cipher Suite | |
65 | ---------------- | |
66 | ||
67 | You can define the cipher list in `/etc/default/pveproxy`, for example | |
68 | ||
69 | CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" | |
70 | ||
71 | Above is the default. See the ciphers(1) man page from the openssl | |
72 | package for a list of all available options. | |
73 | ||
74 | ||
75 | Diffie-Hellman Parameters | |
76 | ------------------------- | |
77 | ||
78 | You can define the used Diffie-Hellman parameters in | |
79 | `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file | |
80 | containing DH parameters in PEM format, for example | |
81 | ||
82 | DHPARAMS="/path/to/dhparams.pem" | |
83 | ||
84 | If this option is not set, the built-in `skip2048` parameters will be | |
85 | used. | |
86 | ||
87 | NOTE: DH parameters are only used if a cipher suite utilizing the DH key | |
88 | exchange algorithm is negotiated. | |
89 | ||
90 | Alternative HTTPS certificate | |
91 | ----------------------------- | |
92 | ||
93 | By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem` | |
94 | (and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections. | |
95 | This certificate is signed by the cluster CA certificate, and therefor | |
96 | not trusted by browsers and operating systems by default. | |
97 | ||
98 | In order to use a different certificate and private key for HTTPS, | |
99 | store the server certificate and any needed intermediate / CA | |
100 | certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem` | |
101 | and the associated private key in PEM format without a password in the | |
102 | file `/etc/pve/local/pveproxy-ssl.key`. | |
103 | ||
104 | WARNING: Do not replace the automatically generated node certificate | |
105 | files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or | |
106 | the cluster CA files in `/etc/pve/pve-root-ca.pem` and | |
107 | `/etc/pve/priv/pve-root-ca.key`. | |
108 | ||
109 | NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates | |
110 | on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki], | |
111 | including setup instructions for obtaining certificates from the popular free | |
112 | Let's Encrypt certificate authority. | |
113 | ||
114 | ifdef::manvolnum[] | |
115 | include::pve-copyright.adoc[] | |
116 | endif::manvolnum[] |