X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pveproxy.adoc;h=4696d664aefd6fec71cf54df356230d6d8d5040e;hb=bdf0aff2f5812118802e586f2cc7aed831769353;hp=5a03c822ae9f443d957c2234f7f38a6f583ab779;hpb=5377af6a47ee572bbb360d412f35f720c7f01ea5;p=pve-docs.git diff --git a/pveproxy.adoc b/pveproxy.adoc index 5a03c82..4696d66 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -1,7 +1,6 @@ ifdef::manvolnum[] -PVE(8) -====== -include::attributes.txt[] +pveproxy(8) +=========== :pve-toplevel: NAME @@ -22,7 +21,6 @@ endif::manvolnum[] ifndef::manvolnum[] pveproxy - Proxmox VE API Proxy Daemon ====================================== -include::attributes.txt[] endif::manvolnum[] This daemon exposes the whole {pve} API on TCP port 8006 using @@ -47,7 +45,8 @@ POLICY="allow" ---- IP addresses can be specified using any syntax understood by `Net::IP`. The -name `all` is an alias for `0/0`. +name `all` is an alias for `0/0` and `::/0` (meaning all IPv4 and IPv6 +addresses). The default policy is `allow`. @@ -61,16 +60,76 @@ The default policy is `allow`. |=========================================================== +Listening IP +------------ + +By default the `pveproxy` and `spiceproxy` daemons listen on the wildcard +address and accept connections from both IPv4 and IPv6 clients. + + +By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP +address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to +be configured on the system. + +Setting the `sysctl` `net.ipv6.bindv6only` to the non-default `1` will cause +the daemons to only accept connection from IPv6 clients, while usually also +causing lots of other issues. If you set this configuration we recommend to +either remove the `sysctl` setting, or set the `LISTEN_IP` to `0.0.0.0` (which +will only allow IPv4 clients). + +`LISTEN_IP` can be used to only to restricting the socket to an internal +interface and thus have less exposure to the public internet, for example: + +---- +LISTEN_IP="192.0.2.1" +---- + +Similarly, you can also set an IPv6 address: + +---- +LISTEN_IP="2001:db8:85a3::1" +---- + +Note that if you want to specify a link-local IPv6 address, you need to provide +the interface name itself. For example: + +---- +LISTEN_IP="fe80::c463:8cff:feb9:6a4e%vmbr0" +---- + +WARNING: The nodes in a cluster need access to `pveproxy` for communication, +possibly on different sub-nets. It is **not recommended** to set `LISTEN_IP` on +clustered systems. + +To apply the change you need to either reboot your node or fully restart the +`pveproxy` and `spiceproxy` service: + +---- +systemctl restart pveproxy.service spiceproxy.service +---- + +NOTE: Unlike `reload`, a `restart` of the pveproxy service can interrupt some +long-running worker processes, for example a running console or shell from a +virtual guest. So, please use a maintenance window to bring this change in +effect. + + SSL Cipher Suite ---------------- You can define the cipher list in `/etc/default/pveproxy`, for example - CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" + CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" Above is the default. See the ciphers(1) man page from the openssl package for a list of all available options. +Additionally, you can set the client to choose the cipher used in +`/etc/default/pveproxy` (default is the first cipher in the list available to +both client and `pveproxy`): + + HONOR_CIPHER_ORDER=0 + Diffie-Hellman Parameters ------------------------- @@ -90,26 +149,23 @@ exchange algorithm is negotiated. Alternative HTTPS certificate ----------------------------- -By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem` -(and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections. -This certificate is signed by the cluster CA certificate, and therefor -not trusted by browsers and operating systems by default. - -In order to use a different certificate and private key for HTTPS, -store the server certificate and any needed intermediate / CA -certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem` -and the associated private key in PEM format without a password in the -file `/etc/pve/local/pveproxy-ssl.key`. - -WARNING: Do not replace the automatically generated node certificate -files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or -the cluster CA files in `/etc/pve/pve-root-ca.pem` and -`/etc/pve/priv/pve-root-ca.key`. - -NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates -on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki], -including setup instructions for obtaining certificates from the popular free -Let's Encrypt certificate authority. +You can change the certificate used to an external one or to one obtained via +ACME. + +pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and +`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to +`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. +The private key may not use a passphrase. + +See the Host System Administration chapter of the documentation for details. + +COMPRESSION +----------- + +By default `pveproxy` uses gzip HTTP-level compression for compressible +content, if the client supports it. This can disabled in `/etc/default/pveproxy` + + COMPRESSION=0 ifdef::manvolnum[] include::pve-copyright.adoc[]