]> git.proxmox.com Git - pve-docs.git/blame - pveproxy.adoc
projects / pve-docs.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
add documentation for display types and memory configuration
[pve-docs.git] / pveproxy.adoc
CommitLineData
96f2beeb 1ifdef::manvolnum[]
f1587b9e
DM		 2pveproxy(8)
3===========
5377af6a 4:pve-toplevel:
96f2beeb
DM		 5
6NAME
7----
8
9pveproxy - PVE API Proxy Daemon
10
11
49a5e11c 12SYNOPSIS
96f2beeb
DM		 13--------
14
15include::pveproxy.8-synopsis.adoc[]
16
17DESCRIPTION
18-----------
19endif::manvolnum[]
20
21ifndef::manvolnum[]
e8b392d3
FG		 22pveproxy - Proxmox VE API Proxy Daemon
23======================================
96f2beeb
DM		 24endif::manvolnum[]
25
26This daemon exposes the whole {pve} API on TCP port 8006 using
8c1189b6 27HTTPS. It runs as user `www-data` and has very limited permissions.
96f2beeb 28Operation requiring more permissions are forwarded to the local
8c1189b6 29`pvedaemon`.
96f2beeb 30
eb641429
DM		 31Requests targeted for other nodes are automatically forwarded to those
32nodes. This means that you can manage your whole cluster by connecting
96f2beeb
DM		 33to a single {pve} node.
34
eb641429
DM		 35Host based Access Control
36-------------------------
37
8c1189b6
FG		 38It is possible to configure ``apache2''-like access control
39lists. Values are read from file `/etc/default/pveproxy`. For example:
eb641429
DM		 40
41----
42ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
43DENY_FROM="all"
44POLICY="allow"
45----
46
47IP addresses can be specified using any syntax understood by `Net::IP`. The
8c1189b6 48name `all` is an alias for `0/0`.
eb641429 49
8c1189b6 50The default policy is `allow`.
eb641429
DM		 51
52[width="100%",options="header"]
53|===========================================================
54| Match | POLICY=deny | POLICY=allow
55| Match Allow only | allow | allow
56| Match Deny only | deny | deny
57| No match | deny | allow
58| Match Both Allow & Deny | deny | allow
59|===========================================================
60
61
62SSL Cipher Suite
63----------------
64
8c1189b6 65You can define the cipher list in `/etc/default/pveproxy`, for example
eb641429 66
ee0fb57b 67 CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
eb641429
DM		 68
69Above is the default. See the ciphers(1) man page from the openssl
70package for a list of all available options.
71
72
73Diffie-Hellman Parameters
74-------------------------
75
76You can define the used Diffie-Hellman parameters in
8c1189b6 77`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
eb641429
DM		 78containing DH parameters in PEM format, for example
79
80 DHPARAMS="/path/to/dhparams.pem"
81
8c1189b6 82If this option is not set, the built-in `skip2048` parameters will be
eb641429
DM		 83used.
84
85NOTE: DH parameters are only used if a cipher suite utilizing the DH key
86exchange algorithm is negotiated.
87
98a741e0
FG		 88Alternative HTTPS certificate
89-----------------------------
90
0e9c6c13 91You can change the certificate used to an external one or to one obtained via
aeecd9ea
SI		 92ACME.
93
94pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
95`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
96`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
97The private key may not use a passphrase.
98
99See the Host System Administration chapter of the documentation for details.
9b75a03a 100
96f2beeb
DM		 101ifdef::manvolnum[]
102include::pve-copyright.adoc[]
103endif::manvolnum[]
PVE Documentation