X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pveproxy.adoc;h=8d024185862b14041ea3f808ed737429d113f26c;hb=684db7e318f31946b370828dbec42bd88f6367b3;hp=125484f5118620625c4dc3954d336b609ba26a79;hpb=96f2beeb13548b0a3f86b62548809cea3be488c3;p=pve-docs.git diff --git a/pveproxy.adoc b/pveproxy.adoc index 125484f..8d02418 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -1,7 +1,7 @@ ifdef::manvolnum[] -PVE({manvolnum}) -================ -include::attributes.txt[] +pveproxy(8) +=========== +:pve-toplevel: NAME ---- @@ -9,7 +9,7 @@ NAME pveproxy - PVE API Proxy Daemon -SYNOPSYS +SYNOPSIS -------- include::pveproxy.8-synopsis.adoc[] @@ -19,20 +19,141 @@ DESCRIPTION endif::manvolnum[] ifndef::manvolnum[] -{pve} API Proxy Daemon -================ -include::attributes.txt[] +pveproxy - Proxmox VE API Proxy Daemon +====================================== endif::manvolnum[] This daemon exposes the whole {pve} API on TCP port 8006 using -HTTPS. It runs as user 'www-data' and has very limited permissions. +HTTPS. It runs as user `www-data` and has very limited permissions. Operation requiring more permissions are forwarded to the local -'pvedaemon'. +`pvedaemon`. -Request targeted for other nodes are automatically forwarded to that -node. This means that you can manage your whole cluster by connecting +Requests targeted for other nodes are automatically forwarded to those +nodes. This means that you can manage your whole cluster by connecting to a single {pve} node. +Host based Access Control +------------------------- + +It is possible to configure ``apache2''-like access control +lists. Values are read from file `/etc/default/pveproxy`. For example: + +---- +ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" +DENY_FROM="all" +POLICY="allow" +---- + +IP addresses can be specified using any syntax understood by `Net::IP`. The +name `all` is an alias for `0/0`. + +The default policy is `allow`. + +[width="100%",options="header"] +|=========================================================== +| Match | POLICY=deny | POLICY=allow +| Match Allow only | allow | allow +| Match Deny only | deny | deny +| No match | deny | allow +| Match Both Allow & Deny | deny | allow +|=========================================================== + + +Listening IP +------------ + +By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP +address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to +be configured on the system. + +This can be used to listen only to an internal interface and thus have less +exposure to the public internet: + +---- +LISTEN_IP="192.0.2.1" +---- + +Similarly, you can also set an IPv6 address: + +---- +LISTEN_IP="2001:db8:85a3::1" +---- + +Note that if you want to specify a link-local IPv6 address, you need to provide +the interface name itself. For example: + +---- +LISTEN_IP="fe80::c463:8cff:feb9:6a4e%vmbr0" +---- + +WARNING: The nodes in a cluster need access to `pveproxy` for communication, +possibly on different sub-nets. It is **not recommended** to set `LISTEN_IP` on +clustered systems. + +To apply the change you need to either reboot your node or fully restart the +`pveproxy` and `spiceproxy` service: + +---- +systemctl restart pveproxy.service spiceproxy.service +---- + +NOTE: Unlike `reload`, a `restart` of the pveproxy service can interrupt some +long-running worker processes, for example a running console or shell from a +virtual guest. So, please use a maintenance window to bring this change in +effect. + +SSL Cipher Suite +---------------- + +You can define the cipher list in `/etc/default/pveproxy`, for example + + CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + +Above is the default. See the ciphers(1) man page from the openssl +package for a list of all available options. + +Additionally, you can set the client to choose the cipher used in +`/etc/default/pveproxy` (default is the first cipher in the list available to +both client and `pveproxy`): + + HONOR_CIPHER_ORDER=0 + + +Diffie-Hellman Parameters +------------------------- + +You can define the used Diffie-Hellman parameters in +`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file +containing DH parameters in PEM format, for example + + DHPARAMS="/path/to/dhparams.pem" + +If this option is not set, the built-in `skip2048` parameters will be +used. + +NOTE: DH parameters are only used if a cipher suite utilizing the DH key +exchange algorithm is negotiated. + +Alternative HTTPS certificate +----------------------------- + +You can change the certificate used to an external one or to one obtained via +ACME. + +pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and +`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to +`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. +The private key may not use a passphrase. + +See the Host System Administration chapter of the documentation for details. + +COMPRESSION +----------- + +By default `pveproxy` uses gzip HTTP-level compression for compressible +content, if the client supports it. This can disabled in `/etc/default/pveproxy` + + COMPRESSION=0 ifdef::manvolnum[] include::pve-copyright.adoc[]