[pve-docs.git] / pveproxy.adoc

ifdef::manvolnum[]
pveproxy(8)
===========
include::attributes.txt[]
:pve-toplevel:

NAME
----

pveproxy - PVE API Proxy Daemon


SYNOPSIS
--------

include::pveproxy.8-synopsis.adoc[]

DESCRIPTION
-----------
endif::manvolnum[]

ifndef::manvolnum[]
pveproxy - Proxmox VE API Proxy Daemon
======================================
include::attributes.txt[]
endif::manvolnum[]

This daemon exposes the whole {pve} API on TCP port 8006 using
HTTPS. It runs as user `www-data` and has very limited permissions.
Operation requiring more permissions are forwarded to the local
`pvedaemon`.

Requests targeted for other nodes are automatically forwarded to those
nodes. This means that you can manage your whole cluster by connecting
to a single {pve} node.

Host based Access Control
-------------------------

It is possible to configure ``apache2''-like access control
lists. Values are read from file `/etc/default/pveproxy`. For example:

----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
----

IP addresses can be specified using any syntax understood by `Net::IP`. The
name `all` is an alias for `0/0`.

The default policy is `allow`.

[width="100%",options="header"]
|===========================================================
| Match                      | POLICY=deny | POLICY=allow
| Match Allow only           | allow       | allow
| Match Deny only            | deny        | deny
| No match                   | deny        | allow
| Match Both Allow & Deny    | deny        | allow
|===========================================================


SSL Cipher Suite
----------------

You can define the cipher list in `/etc/default/pveproxy`, for example

 CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"

Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.


Diffie-Hellman Parameters
-------------------------

You can define the used Diffie-Hellman parameters in
`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
containing DH parameters in PEM format, for example

 DHPARAMS="/path/to/dhparams.pem"

If this option is not set, the built-in `skip2048` parameters will be
used.

NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.

Alternative HTTPS certificate
-----------------------------

By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem`
(and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections.
This certificate is signed by the cluster CA certificate, and therefor
not trusted by browsers and operating systems by default.

In order to use a different certificate and private key for HTTPS,
store the server certificate and any needed intermediate / CA
certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem`
and the associated private key in PEM format without a password in the
file `/etc/pve/local/pveproxy-ssl.key`.

WARNING: Do not replace the automatically generated node certificate
files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or
the cluster CA files in `/etc/pve/pve-root-ca.pem` and
`/etc/pve/priv/pve-root-ca.key`.

NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates
on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki],
including setup instructions for obtaining certificates from the popular free
Let's Encrypt certificate authority.

ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
Commit	Line	Data
96f2beeb	1	ifdef::manvolnum[]
f1587b9e DM	2	pveproxy(8)
f1587b9e DM	3	===========
96f2beeb	4	include::attributes.txt[]
5377af6a	5	:pve-toplevel:
96f2beeb DM	6
	7	NAME
	8	----
	9
	10	pveproxy - PVE API Proxy Daemon
	11
	12
49a5e11c	13	SYNOPSIS
96f2beeb DM	14	--------
	15
	16	include::pveproxy.8-synopsis.adoc[]
	17
	18	DESCRIPTION
	19	-----------
	20	endif::manvolnum[]
	21
	22	ifndef::manvolnum[]
e8b392d3 FG	23	pveproxy - Proxmox VE API Proxy Daemon
e8b392d3 FG	24	======================================
96f2beeb DM	25	include::attributes.txt[]
	26	endif::manvolnum[]
	27
	28	This daemon exposes the whole {pve} API on TCP port 8006 using
8c1189b6	29	HTTPS. It runs as user `www-data` and has very limited permissions.
96f2beeb	30	Operation requiring more permissions are forwarded to the local
8c1189b6	31	`pvedaemon`.
96f2beeb	32
eb641429 DM	33	Requests targeted for other nodes are automatically forwarded to those
eb641429 DM	34	nodes. This means that you can manage your whole cluster by connecting
96f2beeb DM	35	to a single {pve} node.
96f2beeb DM	36
eb641429 DM	37	Host based Access Control
	38	-------------------------
	39
8c1189b6 FG	40	It is possible to configure ``apache2''-like access control
8c1189b6 FG	41	lists. Values are read from file `/etc/default/pveproxy`. For example:
eb641429 DM	42
	43	----
	44	ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
	45	DENY_FROM="all"
	46	POLICY="allow"
	47	----
	48
	49	IP addresses can be specified using any syntax understood by `Net::IP`. The
8c1189b6	50	name `all` is an alias for `0/0`.
eb641429	51
8c1189b6	52	The default policy is `allow`.
eb641429 DM	53
	54	[width="100%",options="header"]
	55	\|===========================================================
	56	\| Match \| POLICY=deny \| POLICY=allow
	57	\| Match Allow only \| allow \| allow
	58	\| Match Deny only \| deny \| deny
	59	\| No match \| deny \| allow
	60	\| Match Both Allow & Deny \| deny \| allow
	61	\|===========================================================
	62
	63
	64	SSL Cipher Suite
	65	----------------
	66
8c1189b6	67	You can define the cipher list in `/etc/default/pveproxy`, for example
eb641429 DM	68
	69	CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
	70
	71	Above is the default. See the ciphers(1) man page from the openssl
	72	package for a list of all available options.
	73
	74
	75	Diffie-Hellman Parameters
	76	-------------------------
	77
	78	You can define the used Diffie-Hellman parameters in
8c1189b6	79	`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
eb641429 DM	80	containing DH parameters in PEM format, for example
	81
	82	DHPARAMS="/path/to/dhparams.pem"
	83
8c1189b6	84	If this option is not set, the built-in `skip2048` parameters will be
eb641429 DM	85	used.
	86
	87	NOTE: DH parameters are only used if a cipher suite utilizing the DH key
	88	exchange algorithm is negotiated.
	89
98a741e0 FG	90	Alternative HTTPS certificate
	91	-----------------------------
	92
8c1189b6 FG	93	By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem`
8c1189b6 FG	94	(and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections.
98a741e0 FG	95	This certificate is signed by the cluster CA certificate, and therefor
	96	not trusted by browsers and operating systems by default.
	97
	98	In order to use a different certificate and private key for HTTPS,
	99	store the server certificate and any needed intermediate / CA
8c1189b6	100	certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem`
98a741e0	101	and the associated private key in PEM format without a password in the
8c1189b6	102	file `/etc/pve/local/pveproxy-ssl.key`.
98a741e0 FG	103
98a741e0 FG	104	WARNING: Do not replace the automatically generated node certificate
8c1189b6 FG	105	files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or
	106	the cluster CA files in `/etc/pve/pve-root-ca.pem` and
	107	`/etc/pve/priv/pve-root-ca.key`.
96f2beeb	108
9b75a03a FG	109	NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates
	110	on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki],
	111	including setup instructions for obtaining certificates from the popular free
	112	Let's Encrypt certificate authority.
	113
96f2beeb DM	114	ifdef::manvolnum[]
	115	include::pve-copyright.adoc[]
	116	endif::manvolnum[]