[pve-docs.git] / pveproxy.adoc

ifdef::manvolnum[]
pveproxy(8)
===========
:pve-toplevel:

NAME
----

pveproxy - PVE API Proxy Daemon


SYNOPSIS
--------

include::pveproxy.8-synopsis.adoc[]

DESCRIPTION
-----------
endif::manvolnum[]

ifndef::manvolnum[]
pveproxy - Proxmox VE API Proxy Daemon
======================================
endif::manvolnum[]

This daemon exposes the whole {pve} API on TCP port 8006 using
HTTPS. It runs as user `www-data` and has very limited permissions.
Operation requiring more permissions are forwarded to the local
`pvedaemon`.

Requests targeted for other nodes are automatically forwarded to those
nodes. This means that you can manage your whole cluster by connecting
to a single {pve} node.

Host based Access Control
-------------------------

It is possible to configure ``apache2''-like access control
lists. Values are read from file `/etc/default/pveproxy`. For example:

----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
----

IP addresses can be specified using any syntax understood by `Net::IP`. The
name `all` is an alias for `0/0`.

The default policy is `allow`.

[width="100%",options="header"]
|===========================================================
| Match                      | POLICY=deny | POLICY=allow
| Match Allow only           | allow       | allow
| Match Deny only            | deny        | deny
| No match                   | deny        | allow
| Match Both Allow & Deny    | deny        | allow
|===========================================================


Listening IP
------------

By default the `pveproxy` and `spiceproxy` daemons listen on the wildcard
address and accept connections from both IPv4 and IPv6 clients.

By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP
address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to
be configured on the system.

This can be used to listen only to an internal interface and thus have less
exposure to the public internet:

----
LISTEN_IP="192.0.2.1"
----

Similarly, you can also set an IPv6 address:

----
LISTEN_IP="2001:db8:85a3::1"
----

Note that if you want to specify a link-local IPv6 address, you need to provide
the interface name itself. For example:

----
LISTEN_IP="fe80::c463:8cff:feb9:6a4e%vmbr0"
----

WARNING: The nodes in a cluster need access to `pveproxy` for communication,
possibly on different sub-nets. It is **not recommended** to set `LISTEN_IP` on
clustered systems.

To apply the change you need to either reboot your node or fully restart the
`pveproxy` and `spiceproxy` service:

----
systemctl restart pveproxy.service spiceproxy.service
----

NOTE: Unlike `reload`, a `restart` of the pveproxy service can interrupt some
long-running worker processes, for example a running console or shell from a
virtual guest. So, please use a maintenance window to bring this change in
effect.

NOTE: setting the `sysctl` `net.ipv6.bindv6only` to `1` will cause the daemons
  to only accept connection from IPv6 clients. This non-default setting usually
  also causes other issues. Either remove the `sysctl` setting, or set the
  `LISTEN_IP` to `0.0.0.0` (which will only allow IPv4 clients).


SSL Cipher Suite
----------------

You can define the cipher list in `/etc/default/pveproxy`, for example

 CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.

Additionally, you can set the client to choose the cipher used in
`/etc/default/pveproxy` (default is the first cipher in the list available to
both client and `pveproxy`):

 HONOR_CIPHER_ORDER=0


Diffie-Hellman Parameters
-------------------------

You can define the used Diffie-Hellman parameters in
`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
containing DH parameters in PEM format, for example

 DHPARAMS="/path/to/dhparams.pem"

If this option is not set, the built-in `skip2048` parameters will be
used.

NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.

Alternative HTTPS certificate
-----------------------------

You can change the certificate used to an external one or to one obtained via
ACME.

pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
The private key may not use a passphrase.

See the Host System Administration chapter of the documentation for details.

COMPRESSION
-----------

By default `pveproxy` uses gzip HTTP-level compression for compressible
content, if the client supports it. This can disabled in `/etc/default/pveproxy`

 COMPRESSION=0

ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
Commit	Line	Data
96f2beeb	1	ifdef::manvolnum[]
f1587b9e DM	2	pveproxy(8)
f1587b9e DM	3	===========
5377af6a	4	:pve-toplevel:
96f2beeb DM	5
	6	NAME
	7	----
	8
	9	pveproxy - PVE API Proxy Daemon
	10
	11
49a5e11c	12	SYNOPSIS
96f2beeb DM	13	--------
	14
	15	include::pveproxy.8-synopsis.adoc[]
	16
	17	DESCRIPTION
	18	-----------
	19	endif::manvolnum[]
	20
	21	ifndef::manvolnum[]
e8b392d3 FG	22	pveproxy - Proxmox VE API Proxy Daemon
e8b392d3 FG	23	======================================
96f2beeb DM	24	endif::manvolnum[]
	25
	26	This daemon exposes the whole {pve} API on TCP port 8006 using
8c1189b6	27	HTTPS. It runs as user `www-data` and has very limited permissions.
96f2beeb	28	Operation requiring more permissions are forwarded to the local
8c1189b6	29	`pvedaemon`.
96f2beeb	30
eb641429 DM	31	Requests targeted for other nodes are automatically forwarded to those
eb641429 DM	32	nodes. This means that you can manage your whole cluster by connecting
96f2beeb DM	33	to a single {pve} node.
96f2beeb DM	34
eb641429 DM	35	Host based Access Control
	36	-------------------------
	37
8c1189b6 FG	38	It is possible to configure ``apache2''-like access control
8c1189b6 FG	39	lists. Values are read from file `/etc/default/pveproxy`. For example:
eb641429 DM	40
	41	----
	42	ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
	43	DENY_FROM="all"
	44	POLICY="allow"
	45	----
	46
	47	IP addresses can be specified using any syntax understood by `Net::IP`. The
8c1189b6	48	name `all` is an alias for `0/0`.
eb641429	49
8c1189b6	50	The default policy is `allow`.
eb641429 DM	51
	52	[width="100%",options="header"]
	53	\|===========================================================
	54	\| Match \| POLICY=deny \| POLICY=allow
	55	\| Match Allow only \| allow \| allow
	56	\| Match Deny only \| deny \| deny
	57	\| No match \| deny \| allow
	58	\| Match Both Allow & Deny \| deny \| allow
	59	\|===========================================================
	60
	61
fa25e615 SI	62	Listening IP
	63	------------
	64
2a057d73 SI	65	By default the `pveproxy` and `spiceproxy` daemons listen on the wildcard
	66	address and accept connections from both IPv4 and IPv6 clients.
	67
fa25e615	68	By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP
a22c19c3 TL	69	address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to
a22c19c3 TL	70	be configured on the system.
fa25e615 SI	71
	72	This can be used to listen only to an internal interface and thus have less
	73	exposure to the public internet:
	74
a3b4a546 TL	75	----
	76	LISTEN_IP="192.0.2.1"
	77	----
fa25e615	78
a3b4a546	79	Similarly, you can also set an IPv6 address:
fa25e615	80
a3b4a546 TL	81	----
	82	LISTEN_IP="2001:db8:85a3::1"
	83	----
8fd3f59f TL	84
	85	Note that if you want to specify a link-local IPv6 address, you need to provide
	86	the interface name itself. For example:
	87
	88	----
	89	LISTEN_IP="fe80::c463:8cff:feb9:6a4e%vmbr0"
	90	----
fa25e615	91
a22c19c3 TL	92	WARNING: The nodes in a cluster need access to `pveproxy` for communication,
	93	possibly on different sub-nets. It is not recommended to set `LISTEN_IP` on
	94	clustered systems.
fa25e615	95
169a0fc1 TL	96	To apply the change you need to either reboot your node or fully restart the
	97	`pveproxy` and `spiceproxy` service:
	98
	99	----
	100	systemctl restart pveproxy.service spiceproxy.service
	101	----
	102
	103	NOTE: Unlike `reload`, a `restart` of the pveproxy service can interrupt some
	104	long-running worker processes, for example a running console or shell from a
	105	virtual guest. So, please use a maintenance window to bring this change in
	106	effect.
	107
2a057d73 SI	108	NOTE: setting the `sysctl` `net.ipv6.bindv6only` to `1` will cause the daemons
	109	to only accept connection from IPv6 clients. This non-default setting usually
	110	also causes other issues. Either remove the `sysctl` setting, or set the
	111	`LISTEN_IP` to `0.0.0.0` (which will only allow IPv4 clients).
	112
	113
eb641429 DM	114	SSL Cipher Suite
	115	----------------
	116
8c1189b6	117	You can define the cipher list in `/etc/default/pveproxy`, for example
eb641429	118
ee0fb57b	119	CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
eb641429 DM	120
	121	Above is the default. See the ciphers(1) man page from the openssl
	122	package for a list of all available options.
	123
3a433e9b	124	Additionally, you can set the client to choose the cipher used in
54de4e32 SI	125	`/etc/default/pveproxy` (default is the first cipher in the list available to
	126	both client and `pveproxy`):
	127
	128	HONOR_CIPHER_ORDER=0
	129
eb641429 DM	130
	131	Diffie-Hellman Parameters
	132	-------------------------
	133
	134	You can define the used Diffie-Hellman parameters in
8c1189b6	135	`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
eb641429 DM	136	containing DH parameters in PEM format, for example
	137
	138	DHPARAMS="/path/to/dhparams.pem"
	139
8c1189b6	140	If this option is not set, the built-in `skip2048` parameters will be
eb641429 DM	141	used.
	142
	143	NOTE: DH parameters are only used if a cipher suite utilizing the DH key
	144	exchange algorithm is negotiated.
	145
98a741e0 FG	146	Alternative HTTPS certificate
	147	-----------------------------
	148
0e9c6c13	149	You can change the certificate used to an external one or to one obtained via
aeecd9ea SI	150	ACME.
	151
	152	pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
	153	`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
	154	`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
	155	The private key may not use a passphrase.
	156
	157	See the Host System Administration chapter of the documentation for details.
9b75a03a	158
54de4e32 SI	159	COMPRESSION
	160	-----------
	161
	162	By default `pveproxy` uses gzip HTTP-level compression for compressible
	163	content, if the client supports it. This can disabled in `/etc/default/pveproxy`
	164
	165	COMPRESSION=0
	166
96f2beeb DM	167	ifdef::manvolnum[]
	168	include::pve-copyright.adoc[]
	169	endif::manvolnum[]