9 pmgproxy - Proxmox Mail Gateway API Proxy Daemon
15 include::pmgproxy.8-synopsis.adoc[]
22 pmgproxy - Proxmox Mail Gateway API Proxy Daemon
23 ================================================
26 This daemon exposes the whole {pmg} API on TCP port 8006, using
27 HTTPS. It runs as user `www-data` and has very limited permissions.
28 Operations requiring more permissions are forwarded to the local
31 Requests targeted at other nodes are automatically forwarded to those
32 nodes. This means that you can manage your whole cluster by connecting
33 to a single {pmg} node.
35 Alternative HTTPS certificate
36 -----------------------------
38 By default, pmgproxy uses the certificate `/etc/pmg/pmg-api.pem` for HTTPS
39 connections. This certificate is self signed, and therefore not trusted by
40 browsers and operating systems by default. You can simply replace this
41 certificate with your own (include the key inside the '.pem' file) or obtain one
42 from an ACME enabled CA (configurable in the GUI).
44 Host based Access Control
45 -------------------------
47 It is possible to configure ``apache2''-like access control
48 lists. Values are read from file `/etc/default/pmgproxy`. For example:
51 ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
56 IP addresses can be specified using any syntax understood by `Net::IP`. The
57 name `all` is an alias for `0/0` and `::/0` (meaning all IPv4 and IPv6
60 The default policy is `allow`.
62 [width="100%",options="header"]
63 |===========================================================
64 | Match | POLICY=deny | POLICY=allow
65 | Match Allow only | allow | allow
66 | Match Deny only | deny | deny
67 | No match | deny | allow
68 | Match Both Allow & Deny | deny | allow
69 |===========================================================
75 By default the `pmgproxy` daemon listens on the wildcard address and accepts
76 connections from both IPv4 and IPv6 clients.
79 By setting `LISTEN_IP` in `/etc/default/pmgproxy`, you can control which IP
80 address the `pmgproxy` daemon binds to. The IP-address needs to be configured on
83 Setting the `sysctl` `net.ipv6.bindv6only` to the non-default `1` will cause
84 the daemons to only accept connections from IPv6 clients, while usually also
85 causing lots of other issues. If you set this configuration, we recommend either
86 removing the `sysctl` setting, or setting the `LISTEN_IP` to `0.0.0.0` (which
87 will allow only IPv4 clients).
89 `LISTEN_IP` can be used to restrict the socket to an internal
90 interface, thus leaving less exposure to the public internet, for example:
96 Similarly, you can also set an IPv6 address:
99 LISTEN_IP="2001:db8:85a3::1"
102 Note that if you want to specify a link-local IPv6 address, you need to provide
103 the interface name itself. For example:
106 LISTEN_IP="fe80::c463:8cff:feb9:6a4e%vmbr0"
109 WARNING: The nodes in a cluster need access to `pmgproxy` for communication,
110 possibly across different subnets. It is **not recommended** to set `LISTEN_IP`
111 on clustered systems.
113 To apply the change you need to either reboot your node or fully restart the
117 systemctl restart pmgproxy.service
120 NOTE: Unlike `reload`, a `restart` of the pmgproxy service can interrupt some
121 long-running worker processes, for example, a running console. Therefore, you
122 should set a maintenance window to bring this change into effect.
128 You can define the cipher list in `/etc/default/pmgproxy`, via the `CIPHERS`
129 (TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys.
133 CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
135 The above is the default. See the `ciphers(1)` man page from the `openssl`
136 package for a list of all available options.
138 The first of these ciphers that is available to both the client and `pmgproxy`
141 Additionally, you can allow the client to choose the cipher from the list above,
142 by disabling the HONOR_CIPHER_ORDER option in `/etc/default/pmgproxy`:
147 Supported TLS versions
148 ----------------------
150 The insecure SSL versions 2 and 3 are unconditionally disabled for `pmgproxy`.
151 TLS versions below 1.1 are disabled by default on recent OpenSSL versions,
152 which is honored by `pmgproxy` (see `/etc/ssl/openssl.cnf`).
154 To disable TLS version 1.2, set the following in `/etc/default/pmgproxy`:
158 or, respectively, to disable TLS version 1.3:
162 NOTE: Unless there is a specific reason to do so, it is not recommended to
163 manually adjust the supported TLS versions.
166 Diffie-Hellman Parameters
167 -------------------------
169 You can define the used Diffie-Hellman parameters in
170 `/etc/default/pmgproxy` by setting `DHPARAMS` to the path of a file
171 containing DH parameters in PEM format, for example:
173 DHPARAMS="/path/to/dhparams.pem"
175 If this option is not set, the built-in `skip2048` parameters will be
178 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
179 exchange algorithm is negotiated.
184 By default `pmgproxy` uses gzip HTTP-level compression for compressible
185 content, if the client supports it. This can be disabled in
186 `/etc/default/pmgproxy`
191 include::pmg-copyright.adoc[]