X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pveproxy.adoc;h=d50d04a967f540627daea77c14f8623eeb7f0cfb;hb=HEAD;hp=4696d664aefd6fec71cf54df356230d6d8d5040e;hpb=8569bf94a3f6e29511e87773a2060f5fdc89b775;p=pve-docs.git diff --git a/pveproxy.adoc b/pveproxy.adoc index 4696d66..4b5dac0 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -23,20 +23,20 @@ pveproxy - Proxmox VE API Proxy Daemon ====================================== endif::manvolnum[] -This daemon exposes the whole {pve} API on TCP port 8006 using -HTTPS. It runs as user `www-data` and has very limited permissions. -Operation requiring more permissions are forwarded to the local -`pvedaemon`. +This daemon exposes the whole {pve} API on TCP port 8006 using HTTPS. It runs +as user `www-data` and has very limited permissions. Operation requiring more +permissions are forwarded to the local `pvedaemon`. -Requests targeted for other nodes are automatically forwarded to those -nodes. This means that you can manage your whole cluster by connecting -to a single {pve} node. +Requests targeted for other nodes are automatically forwarded to those nodes. +This means that you can manage your whole cluster by connecting to a single +{pve} node. +[[pveproxy_host_acls]] Host based Access Control ------------------------- -It is possible to configure ``apache2''-like access control -lists. Values are read from file `/etc/default/pveproxy`. For example: +It is possible to configure ``apache2''-like access control lists. Values are +read from file `/etc/default/pveproxy`. For example: ---- ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" @@ -59,9 +59,9 @@ The default policy is `allow`. | Match Both Allow & Deny | deny | allow |=========================================================== - -Listening IP ------------- +[[pveproxy_listening_address]] +Listening IP Address +-------------------- By default the `pveproxy` and `spiceproxy` daemons listen on the wildcard address and accept connections from both IPv4 and IPv6 clients. @@ -117,9 +117,11 @@ effect. SSL Cipher Suite ---------------- -You can define the cipher list in `/etc/default/pveproxy`, for example +You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS` +(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" Above is the default. See the ciphers(1) man page from the openssl package for a list of all available options. @@ -131,6 +133,25 @@ both client and `pveproxy`): HONOR_CIPHER_ORDER=0 +Supported TLS versions +---------------------- + +The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy. +TLS versions below 1.1 are disabled by default on recent OpenSSL versions, +which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`). + +To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pveproxy`: + + DISABLE_TLS_1_2=1 + +or, respectively: + + DISABLE_TLS_1_3=1 + +NOTE: Unless there is a specific reason to do so, it is not recommended to +manually adjust the supported TLS versions. + + Diffie-Hellman Parameters ------------------------- @@ -146,6 +167,7 @@ used. NOTE: DH parameters are only used if a cipher suite utilizing the DH key exchange algorithm is negotiated. +[[pveproxy_custom_tls_cert]] Alternative HTTPS certificate ----------------------------- @@ -157,10 +179,19 @@ pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. The private key may not use a passphrase. +It is possible to override the location of the certificate private key +`/etc/pve/local/pveproxy-ssl.key` by setting `TLS_KEY_FILE` in +`/etc/default/pveproxy`, for example: + + TLS_KEY_FILE="/secrets/pveproxy.key" + +NOTE: The included ACME integration does not honor this setting. + See the Host System Administration chapter of the documentation for details. -COMPRESSION ------------ +[[pveproxy_response_compression]] +Response Compression +-------------------- By default `pveproxy` uses gzip HTTP-level compression for compressible content, if the client supports it. This can disabled in `/etc/default/pveproxy`