X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pveproxy.adoc;h=f7111a1256febcb5d5b7bc82836fead2c39972dc;hb=016399943d708c8a80a55c0b103a0f9bde39ac06;hp=125484f5118620625c4dc3954d336b609ba26a79;hpb=96f2beeb13548b0a3f86b62548809cea3be488c3;p=pve-docs.git diff --git a/pveproxy.adoc b/pveproxy.adoc index 125484f..f7111a1 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -20,7 +20,7 @@ endif::manvolnum[] ifndef::manvolnum[] {pve} API Proxy Daemon -================ +====================== include::attributes.txt[] endif::manvolnum[] @@ -29,10 +29,80 @@ HTTPS. It runs as user 'www-data' and has very limited permissions. Operation requiring more permissions are forwarded to the local 'pvedaemon'. -Request targeted for other nodes are automatically forwarded to that -node. This means that you can manage your whole cluster by connecting +Requests targeted for other nodes are automatically forwarded to those +nodes. This means that you can manage your whole cluster by connecting to a single {pve} node. +Host based Access Control +------------------------- + +It is possible to configure "apache2" like access control +lists. Values are read from file '/etc/default/pveproxy'. For example: + +---- +ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" +DENY_FROM="all" +POLICY="allow" +---- + +IP addresses can be specified using any syntax understood by `Net::IP`. The +name 'all' is an alias for '0/0'. + +The default policy is 'allow'. + +[width="100%",options="header"] +|=========================================================== +| Match | POLICY=deny | POLICY=allow +| Match Allow only | allow | allow +| Match Deny only | deny | deny +| No match | deny | allow +| Match Both Allow & Deny | deny | allow +|=========================================================== + + +SSL Cipher Suite +---------------- + +You can define the cipher list in '/etc/default/pveproxy', for example + + CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" + +Above is the default. See the ciphers(1) man page from the openssl +package for a list of all available options. + + +Diffie-Hellman Parameters +------------------------- + +You can define the used Diffie-Hellman parameters in +'/etc/default/pveproxy' by setting `DHPARAMS` to the path of a file +containing DH parameters in PEM format, for example + + DHPARAMS="/path/to/dhparams.pem" + +If this option is not set, the built-in 'skip2048' parameters will be +used. + +NOTE: DH parameters are only used if a cipher suite utilizing the DH key +exchange algorithm is negotiated. + +Alternative HTTPS certificate +----------------------------- + +By default, pveproxy uses the certificate '/etc/pve/local/pve-ssl.pem' +(and private key '/etc/pve/local/pve-ssl.key') for HTTPS connections. +This certificate is signed by the cluster CA certificate, and therefor +not trusted by browsers and operating systems by default. + +In order to use a different certificate and private key for HTTPS, +store the server certificate and any needed intermediate / CA +certificates in PEM format in the file '/etc/pve/local/pveproxy-ssl.pem' +and the associated private key in PEM format without a password in the +file '/etc/pve/local/pveproxy-ssl.key'. + +WARNING: Do not replace the automatically generated node certificate +files in '/etc/pve/local/pve-ssl.pem'/'etc/pve/local/pve-ssl.key' or +the cluster CA files in '/etc/pve/pve-root-ca.pem'/'/etc/pve/priv/pve-root-ca.key'. ifdef::manvolnum[] include::pve-copyright.adoc[]