projects / pve-docs.git / blame
| Commit | Line | Data |
|---|---|---|
| 96f2beeb | 1 | ifdef::manvolnum[] |
| f1587b9e DM |
2 | pveproxy(8) |
| 3 | =========== | |
| 5377af6a | 4 | :pve-toplevel: |
| 96f2beeb DM |
5 | |
| 6 | NAME | |
| 7 | ---- | |
| 8 | ||
| 9 | pveproxy - PVE API Proxy Daemon | |
| 10 | ||
| 11 | ||
| 49a5e11c | 12 | SYNOPSIS |
| 96f2beeb DM |
13 | -------- |
| 14 | ||
| 15 | include::pveproxy.8-synopsis.adoc[] | |
| 16 | ||
| 17 | DESCRIPTION | |
| 18 | ----------- | |
| 19 | endif::manvolnum[] | |
| 20 | ||
| 21 | ifndef::manvolnum[] | |
| e8b392d3 FG |
22 | pveproxy - Proxmox VE API Proxy Daemon |
| 23 | ====================================== | |
| 96f2beeb DM |
24 | endif::manvolnum[] |
| 25 | ||
| 26 | This daemon exposes the whole {pve} API on TCP port 8006 using | |
| 8c1189b6 | 27 | HTTPS. It runs as user `www-data` and has very limited permissions. |
| 96f2beeb | 28 | Operation requiring more permissions are forwarded to the local |
| 8c1189b6 | 29 | `pvedaemon`. |
| 96f2beeb | 30 | |
| eb641429 DM |
31 | Requests targeted for other nodes are automatically forwarded to those |
| 32 | nodes. This means that you can manage your whole cluster by connecting | |
| 96f2beeb DM |
33 | to a single {pve} node. |
| 34 | ||
| eb641429 DM |
35 | Host based Access Control |
| 36 | ------------------------- | |
| 37 | ||
| 8c1189b6 FG |
38 | It is possible to configure ``apache2''-like access control |
| 39 | lists. Values are read from file `/etc/default/pveproxy`. For example: | |
| eb641429 DM |
40 | |
| 41 | ---- | |
| 42 | ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" | |
| 43 | DENY_FROM="all" | |
| 44 | POLICY="allow" | |
| 45 | ---- | |
| 46 | ||
| 47 | IP addresses can be specified using any syntax understood by `Net::IP`. The | |
| 8c1189b6 | 48 | name `all` is an alias for `0/0`. |
| eb641429 | 49 | |
| 8c1189b6 | 50 | The default policy is `allow`. |
| eb641429 DM |
51 | |
| 52 | [width="100%",options="header"] | |
| 53 | |=========================================================== | |
| 54 | | Match | POLICY=deny | POLICY=allow | |
| 55 | | Match Allow only | allow | allow | |
| 56 | | Match Deny only | deny | deny | |
| 57 | | No match | deny | allow | |
| 58 | | Match Both Allow & Deny | deny | allow | |
| 59 | |=========================================================== | |
| 60 | ||
| 61 | ||
| fa25e615 SI |
62 | Listening IP |
| 63 | ------------ | |
| 64 | ||
| 65 | By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP | |
| a22c19c3 TL |
66 | address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to |
| 67 | be configured on the system. | |
| fa25e615 SI |
68 | |
| 69 | This can be used to listen only to an internal interface and thus have less | |
| 70 | exposure to the public internet: | |
| 71 | ||
| a3b4a546 TL |
72 | ---- |
| 73 | LISTEN_IP="192.0.2.1" | |
| 74 | ---- | |
| fa25e615 | 75 | |
| a3b4a546 | 76 | Similarly, you can also set an IPv6 address: |
| fa25e615 | 77 | |
| a3b4a546 TL |
78 | ---- |
| 79 | LISTEN_IP="2001:db8:85a3::1" | |
| 80 | ---- | |
| fa25e615 | 81 | |
| a22c19c3 TL |
82 | WARNING: The nodes in a cluster need access to `pveproxy` for communication, |
| 83 | possibly on different sub-nets. It is **not recommended** to set `LISTEN_IP` on | |
| 84 | clustered systems. | |
| fa25e615 | 85 | |
| eb641429 DM |
86 | SSL Cipher Suite |
| 87 | ---------------- | |
| 88 | ||
| 8c1189b6 | 89 | You can define the cipher list in `/etc/default/pveproxy`, for example |
| eb641429 | 90 | |
| ee0fb57b | 91 | CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" |
| eb641429 DM |
92 | |
| 93 | Above is the default. See the ciphers(1) man page from the openssl | |
| 94 | package for a list of all available options. | |
| 95 | ||
| 54de4e32 SI |
96 | Additionally you can define that the client choses the used cipher in |
| 97 | `/etc/default/pveproxy` (default is the first cipher in the list available to | |
| 98 | both client and `pveproxy`): | |
| 99 | ||
| 100 | HONOR_CIPHER_ORDER=0 | |
| 101 | ||
| eb641429 DM |
102 | |
| 103 | Diffie-Hellman Parameters | |
| 104 | ------------------------- | |
| 105 | ||
| 106 | You can define the used Diffie-Hellman parameters in | |
| 8c1189b6 | 107 | `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file |
| eb641429 DM |
108 | containing DH parameters in PEM format, for example |
| 109 | ||
| 110 | DHPARAMS="/path/to/dhparams.pem" | |
| 111 | ||
| 8c1189b6 | 112 | If this option is not set, the built-in `skip2048` parameters will be |
| eb641429 DM |
113 | used. |
| 114 | ||
| 115 | NOTE: DH parameters are only used if a cipher suite utilizing the DH key | |
| 116 | exchange algorithm is negotiated. | |
| 117 | ||
| 98a741e0 FG |
118 | Alternative HTTPS certificate |
| 119 | ----------------------------- | |
| 120 | ||
| 0e9c6c13 | 121 | You can change the certificate used to an external one or to one obtained via |
| aeecd9ea SI |
122 | ACME. |
| 123 | ||
| 124 | pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and | |
| 125 | `/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to | |
| 126 | `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. | |
| 127 | The private key may not use a passphrase. | |
| 128 | ||
| 129 | See the Host System Administration chapter of the documentation for details. | |
| 9b75a03a | 130 | |
| 54de4e32 SI |
131 | COMPRESSION |
| 132 | ----------- | |
| 133 | ||
| 134 | By default `pveproxy` uses gzip HTTP-level compression for compressible | |
| 135 | content, if the client supports it. This can disabled in `/etc/default/pveproxy` | |
| 136 | ||
| 137 | COMPRESSION=0 | |
| 138 | ||
| 96f2beeb DM |
139 | ifdef::manvolnum[] |
| 140 | include::pve-copyright.adoc[] | |
| 141 | endif::manvolnum[] |