ifdef::manvolnum[]
-PVE({manvolnum})
-================
-include::attributes.txt[]
+pveproxy(8)
+===========
+:pve-toplevel:
NAME
----
pveproxy - PVE API Proxy Daemon
-SYNOPSYS
+SYNOPSIS
--------
include::pveproxy.8-synopsis.adoc[]
endif::manvolnum[]
ifndef::manvolnum[]
-{pve} API Proxy Daemon
-======================
-include::attributes.txt[]
+pveproxy - Proxmox VE API Proxy Daemon
+======================================
endif::manvolnum[]
This daemon exposes the whole {pve} API on TCP port 8006 using
-HTTPS. It runs as user 'www-data' and has very limited permissions.
+HTTPS. It runs as user `www-data` and has very limited permissions.
Operation requiring more permissions are forwarded to the local
-'pvedaemon'.
+`pvedaemon`.
Requests targeted for other nodes are automatically forwarded to those
nodes. This means that you can manage your whole cluster by connecting
Host based Access Control
-------------------------
-It is possible to configure "apache2" like access control
-lists. Values are read from file '/etc/default/pveproxy'. For example:
+It is possible to configure ``apache2''-like access control
+lists. Values are read from file `/etc/default/pveproxy`. For example:
----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
----
IP addresses can be specified using any syntax understood by `Net::IP`. The
-name 'all' is an alias for '0/0'.
+name `all` is an alias for `0/0`.
-The default policy is 'allow'.
+The default policy is `allow`.
[width="100%",options="header"]
|===========================================================
SSL Cipher Suite
----------------
-You can define the cipher list in '/etc/default/pveproxy', for example
+You can define the cipher list in `/etc/default/pveproxy`, for example
- CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
+ CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.
+Additionally you can define that the client choses the used cipher in
+`/etc/default/pveproxy` (default is the first cipher in the list available to
+both client and `pveproxy`):
+
+ HONOR_CIPHER_ORDER=0
+
Diffie-Hellman Parameters
-------------------------
You can define the used Diffie-Hellman parameters in
-'/etc/default/pveproxy' by setting `DHPARAMS` to the path of a file
+`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
containing DH parameters in PEM format, for example
DHPARAMS="/path/to/dhparams.pem"
-If this option is not set, the built-in 'skip2048' parameters will be
+If this option is not set, the built-in `skip2048` parameters will be
used.
NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.
+Alternative HTTPS certificate
+-----------------------------
+
+You can change the certificate used to an external one or to one obtained via
+ACME.
+
+pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
+`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
+`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
+The private key may not use a passphrase.
+
+See the Host System Administration chapter of the documentation for details.
+
+COMPRESSION
+-----------
+
+By default `pveproxy` uses gzip HTTP-level compression for compressible
+content, if the client supports it. This can disabled in `/etc/default/pveproxy`
+
+ COMPRESSION=0
ifdef::manvolnum[]
include::pve-copyright.adoc[]