X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;ds=sidebyside;f=pveproxy.adoc;h=663b069a9864bf784f55c95a84a1692f7ab0bfcd;hb=a4c6084830b7f5e32fae9f080683e041f48834cc;hp=665e575f4dc67f97d1c9750d8cd675a6c0a66d8c;hpb=2a057d732a2ee25af25c6e3798212b9b0abe2036;p=pve-docs.git diff --git a/pveproxy.adoc b/pveproxy.adoc index 665e575..663b069 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -45,7 +45,8 @@ POLICY="allow" ---- IP addresses can be specified using any syntax understood by `Net::IP`. The -name `all` is an alias for `0/0`. +name `all` is an alias for `0/0` and `::/0` (meaning all IPv4 and IPv6 +addresses). The default policy is `allow`. @@ -65,12 +66,19 @@ Listening IP By default the `pveproxy` and `spiceproxy` daemons listen on the wildcard address and accept connections from both IPv4 and IPv6 clients. + By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to be configured on the system. -This can be used to listen only to an internal interface and thus have less -exposure to the public internet: +Setting the `sysctl` `net.ipv6.bindv6only` to the non-default `1` will cause +the daemons to only accept connection from IPv6 clients, while usually also +causing lots of other issues. If you set this configuration we recommend to +either remove the `sysctl` setting, or set the `LISTEN_IP` to `0.0.0.0` (which +will only allow IPv4 clients). + +`LISTEN_IP` can be used to only to restricting the socket to an internal +interface and thus have less exposure to the public internet, for example: ---- LISTEN_IP="192.0.2.1" @@ -105,18 +113,15 @@ long-running worker processes, for example a running console or shell from a virtual guest. So, please use a maintenance window to bring this change in effect. -NOTE: setting the `sysctl` `net.ipv6.bindv6only` to `1` will cause the daemons - to only accept connection from IPv6 clients. This non-default setting usually - also causes other issues. Either remove the `sysctl` setting, or set the - `LISTEN_IP` to `0.0.0.0` (which will only allow IPv4 clients). - SSL Cipher Suite ---------------- -You can define the cipher list in `/etc/default/pveproxy`, for example +You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS` +(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" Above is the default. See the ciphers(1) man page from the openssl package for a list of all available options. @@ -128,6 +133,25 @@ both client and `pveproxy`): HONOR_CIPHER_ORDER=0 +Supported TLS versions +---------------------- + +The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy. +TLS versions below 1.1 are disabled by default on recent OpenSSL versions, +which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`). + +To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pveproxy`: + + DISABLE_TLS_1_2=1 + +or, respectively: + + DISABLE_TLS_1_3=1 + +NOTE: Unless there is a specific reason to do so, it is not recommended to +manually adjust the supported TLS versions. + + Diffie-Hellman Parameters ------------------------- @@ -154,6 +178,14 @@ pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. The private key may not use a passphrase. +It is possible to override the location of the certificate private key +`/etc/pve/local/pveproxy-ssl.key` by setting `TLS_KEY_FILE` in +`/etc/default/pveproxy`, for example: + + TLS_KEY_FILE="/secrets/pveproxy.key" + +NOTE: The included ACME integration does not honor this setting. + See the Host System Administration chapter of the documentation for details. COMPRESSION