| | 1 | ifdef::manvolnum[] |
| | 2 | pveproxy(8) |
| | 3 | =========== |
| | 4 | :pve-toplevel: |
| | 5 | |
| | 6 | NAME |
| | 7 | ---- |
| | 8 | |
| | 9 | pveproxy - PVE API Proxy Daemon |
| | 10 | |
| | 11 | |
| | 12 | SYNOPSIS |
| | 13 | -------- |
| | 14 | |
| | 15 | include::pveproxy.8-synopsis.adoc[] |
| | 16 | |
| | 17 | DESCRIPTION |
| | 18 | ----------- |
| | 19 | endif::manvolnum[] |
| | 20 | |
| | 21 | ifndef::manvolnum[] |
| | 22 | pveproxy - Proxmox VE API Proxy Daemon |
| | 23 | ====================================== |
| | 24 | endif::manvolnum[] |
| | 25 | |
| | 26 | This daemon exposes the whole {pve} API on TCP port 8006 using |
| | 27 | HTTPS. It runs as user `www-data` and has very limited permissions. |
| | 28 | Operation requiring more permissions are forwarded to the local |
| | 29 | `pvedaemon`. |
| | 30 | |
| | 31 | Requests targeted for other nodes are automatically forwarded to those |
| | 32 | nodes. This means that you can manage your whole cluster by connecting |
| | 33 | to a single {pve} node. |
| | 34 | |
| | 35 | Host based Access Control |
| | 36 | ------------------------- |
| | 37 | |
| | 38 | It is possible to configure ``apache2''-like access control |
| | 39 | lists. Values are read from file `/etc/default/pveproxy`. For example: |
| | 40 | |
| | 41 | ---- |
| | 42 | ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" |
| | 43 | DENY_FROM="all" |
| | 44 | POLICY="allow" |
| | 45 | ---- |
| | 46 | |
| | 47 | IP addresses can be specified using any syntax understood by `Net::IP`. The |
| | 48 | name `all` is an alias for `0/0`. |
| | 49 | |
| | 50 | The default policy is `allow`. |
| | 51 | |
| | 52 | [width="100%",options="header"] |
| | 53 | |=========================================================== |
| | 54 | | Match | POLICY=deny | POLICY=allow |
| | 55 | | Match Allow only | allow | allow |
| | 56 | | Match Deny only | deny | deny |
| | 57 | | No match | deny | allow |
| | 58 | | Match Both Allow & Deny | deny | allow |
| | 59 | |=========================================================== |
| | 60 | |
| | 61 | |
| | 62 | Listening IP |
| | 63 | ------------ |
| | 64 | |
| | 65 | By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP |
| | 66 | address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to |
| | 67 | be configured on the system. |
| | 68 | |
| | 69 | This can be used to listen only to an internal interface and thus have less |
| | 70 | exposure to the public internet: |
| | 71 | |
| | 72 | ---- |
| | 73 | LISTEN_IP="192.0.2.1" |
| | 74 | ---- |
| | 75 | |
| | 76 | Similarly, you can also set an IPv6 address: |
| | 77 | |
| | 78 | ---- |
| | 79 | LISTEN_IP="2001:db8:85a3::1" |
| | 80 | ---- |
| | 81 | |
| | 82 | WARNING: The nodes in a cluster need access to `pveproxy` for communication, |
| | 83 | possibly on different sub-nets. It is **not recommended** to set `LISTEN_IP` on |
| | 84 | clustered systems. |
| | 85 | |
| | 86 | SSL Cipher Suite |
| | 87 | ---------------- |
| | 88 | |
| | 89 | You can define the cipher list in `/etc/default/pveproxy`, for example |
| | 90 | |
| | 91 | CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" |
| | 92 | |
| | 93 | Above is the default. See the ciphers(1) man page from the openssl |
| | 94 | package for a list of all available options. |
| | 95 | |
| | 96 | Additionally you can define that the client choses the used cipher in |
| | 97 | `/etc/default/pveproxy` (default is the first cipher in the list available to |
| | 98 | both client and `pveproxy`): |
| | 99 | |
| | 100 | HONOR_CIPHER_ORDER=0 |
| | 101 | |
| | 102 | |
| | 103 | Diffie-Hellman Parameters |
| | 104 | ------------------------- |
| | 105 | |
| | 106 | You can define the used Diffie-Hellman parameters in |
| | 107 | `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file |
| | 108 | containing DH parameters in PEM format, for example |
| | 109 | |
| | 110 | DHPARAMS="/path/to/dhparams.pem" |
| | 111 | |
| | 112 | If this option is not set, the built-in `skip2048` parameters will be |
| | 113 | used. |
| | 114 | |
| | 115 | NOTE: DH parameters are only used if a cipher suite utilizing the DH key |
| | 116 | exchange algorithm is negotiated. |
| | 117 | |
| | 118 | Alternative HTTPS certificate |
| | 119 | ----------------------------- |
| | 120 | |
| | 121 | You can change the certificate used to an external one or to one obtained via |
| | 122 | ACME. |
| | 123 | |
| | 124 | pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and |
| | 125 | `/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to |
| | 126 | `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. |
| | 127 | The private key may not use a passphrase. |
| | 128 | |
| | 129 | See the Host System Administration chapter of the documentation for details. |
| | 130 | |
| | 131 | COMPRESSION |
| | 132 | ----------- |
| | 133 | |
| | 134 | By default `pveproxy` uses gzip HTTP-level compression for compressible |
| | 135 | content, if the client supports it. This can disabled in `/etc/default/pveproxy` |
| | 136 | |
| | 137 | COMPRESSION=0 |
| | 138 | |
| | 139 | ifdef::manvolnum[] |
| | 140 | include::pve-copyright.adoc[] |
| | 141 | endif::manvolnum[] |
projects / pve-docs.git / blame_incremental