cleanup pct.adoc
[pve-docs.git] / pveproxy.adoc
CommitLineData
96f2beeb
DM
1ifdef::manvolnum[]
2PVE({manvolnum})
3================
4include::attributes.txt[]
5
6NAME
7----
8
9pveproxy - PVE API Proxy Daemon
10
11
12SYNOPSYS
13--------
14
15include::pveproxy.8-synopsis.adoc[]
16
17DESCRIPTION
18-----------
19endif::manvolnum[]
20
21ifndef::manvolnum[]
22{pve} API Proxy Daemon
eb641429 23======================
96f2beeb
DM
24include::attributes.txt[]
25endif::manvolnum[]
26
27This daemon exposes the whole {pve} API on TCP port 8006 using
28HTTPS. It runs as user 'www-data' and has very limited permissions.
29Operation requiring more permissions are forwarded to the local
30'pvedaemon'.
31
eb641429
DM
32Requests targeted for other nodes are automatically forwarded to those
33nodes. This means that you can manage your whole cluster by connecting
96f2beeb
DM
34to a single {pve} node.
35
eb641429
DM
36Host based Access Control
37-------------------------
38
39It is possible to configure "apache2" like access control
40lists. Values are read from file '/etc/default/pveproxy'. For example:
41
42----
43ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
44DENY_FROM="all"
45POLICY="allow"
46----
47
48IP addresses can be specified using any syntax understood by `Net::IP`. The
49name 'all' is an alias for '0/0'.
50
51The default policy is 'allow'.
52
53[width="100%",options="header"]
54|===========================================================
55| Match | POLICY=deny | POLICY=allow
56| Match Allow only | allow | allow
57| Match Deny only | deny | deny
58| No match | deny | allow
59| Match Both Allow & Deny | deny | allow
60|===========================================================
61
62
63SSL Cipher Suite
64----------------
65
66You can define the cipher list in '/etc/default/pveproxy', for example
67
68 CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
69
70Above is the default. See the ciphers(1) man page from the openssl
71package for a list of all available options.
72
73
74Diffie-Hellman Parameters
75-------------------------
76
77You can define the used Diffie-Hellman parameters in
78'/etc/default/pveproxy' by setting `DHPARAMS` to the path of a file
79containing DH parameters in PEM format, for example
80
81 DHPARAMS="/path/to/dhparams.pem"
82
83If this option is not set, the built-in 'skip2048' parameters will be
84used.
85
86NOTE: DH parameters are only used if a cipher suite utilizing the DH key
87exchange algorithm is negotiated.
88
96f2beeb
DM
89
90ifdef::manvolnum[]
91include::pve-copyright.adoc[]
92endif::manvolnum[]