[pve-docs.git] / pveproxy.adoc

ifdef::manvolnum[]
pveproxy(8)
===========
:pve-toplevel:

NAME
----

pveproxy - PVE API Proxy Daemon


SYNOPSIS
--------

include::pveproxy.8-synopsis.adoc[]

DESCRIPTION
-----------
endif::manvolnum[]

ifndef::manvolnum[]
pveproxy - Proxmox VE API Proxy Daemon
======================================
endif::manvolnum[]

This daemon exposes the whole {pve} API on TCP port 8006 using
HTTPS. It runs as user `www-data` and has very limited permissions.
Operation requiring more permissions are forwarded to the local
`pvedaemon`.

Requests targeted for other nodes are automatically forwarded to those
nodes. This means that you can manage your whole cluster by connecting
to a single {pve} node.

Host based Access Control
-------------------------

It is possible to configure ``apache2''-like access control
lists. Values are read from file `/etc/default/pveproxy`. For example:

----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
----

IP addresses can be specified using any syntax understood by `Net::IP`. The
name `all` is an alias for `0/0`.

The default policy is `allow`.

[width="100%",options="header"]
|===========================================================
| Match                      | POLICY=deny | POLICY=allow
| Match Allow only           | allow       | allow
| Match Deny only            | deny        | deny
| No match                   | deny        | allow
| Match Both Allow & Deny    | deny        | allow
|===========================================================


SSL Cipher Suite
----------------

You can define the cipher list in `/etc/default/pveproxy`, for example

 CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"

Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.


Diffie-Hellman Parameters
-------------------------

You can define the used Diffie-Hellman parameters in
`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
containing DH parameters in PEM format, for example

 DHPARAMS="/path/to/dhparams.pem"

If this option is not set, the built-in `skip2048` parameters will be
used.

NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.

Alternative HTTPS certificate
-----------------------------

By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem`
(and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections.
This certificate is signed by the cluster CA certificate, and therefor
not trusted by browsers and operating systems by default.

In order to use a different certificate and private key for HTTPS,
store the server certificate and any needed intermediate / CA
certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem`
and the associated private key in PEM format without a password in the
file `/etc/pve/local/pveproxy-ssl.key`.

WARNING: Do not replace the automatically generated node certificate
files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or
the cluster CA files in `/etc/pve/pve-root-ca.pem` and
`/etc/pve/priv/pve-root-ca.key`.

NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates
on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki],
including setup instructions for obtaining certificates from the popular free
Let's Encrypt certificate authority.

ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
Commit	Line	Data
	1	ifdef::manvolnum[]
	2	pveproxy(8)
	3	===========
	4	:pve-toplevel:
	5
	6	NAME
	7	----
	8
	9	pveproxy - PVE API Proxy Daemon
	10
	11
	12	SYNOPSIS
	13	--------
	14
	15	include::pveproxy.8-synopsis.adoc[]
	16
	17	DESCRIPTION
	18	-----------
	19	endif::manvolnum[]
	20
	21	ifndef::manvolnum[]
	22	pveproxy - Proxmox VE API Proxy Daemon
	23	======================================
	24	endif::manvolnum[]
	25
	26	This daemon exposes the whole {pve} API on TCP port 8006 using
	27	HTTPS. It runs as user `www-data` and has very limited permissions.
	28	Operation requiring more permissions are forwarded to the local
	29	`pvedaemon`.
	30
	31	Requests targeted for other nodes are automatically forwarded to those
	32	nodes. This means that you can manage your whole cluster by connecting
	33	to a single {pve} node.
	34
	35	Host based Access Control
	36	-------------------------
	37
	38	It is possible to configure ``apache2''-like access control
	39	lists. Values are read from file `/etc/default/pveproxy`. For example:
	40
	41	----
	42	ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
	43	DENY_FROM="all"
	44	POLICY="allow"
	45	----
	46
	47	IP addresses can be specified using any syntax understood by `Net::IP`. The
	48	name `all` is an alias for `0/0`.
	49
	50	The default policy is `allow`.
	51
	52	[width="100%",options="header"]
	53	\|===========================================================
	54	\| Match \| POLICY=deny \| POLICY=allow
	55	\| Match Allow only \| allow \| allow
	56	\| Match Deny only \| deny \| deny
	57	\| No match \| deny \| allow
	58	\| Match Both Allow & Deny \| deny \| allow
	59	\|===========================================================
	60
	61
	62	SSL Cipher Suite
	63	----------------
	64
	65	You can define the cipher list in `/etc/default/pveproxy`, for example
	66
	67	CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
	68
	69	Above is the default. See the ciphers(1) man page from the openssl
	70	package for a list of all available options.
	71
	72
	73	Diffie-Hellman Parameters
	74	-------------------------
	75
	76	You can define the used Diffie-Hellman parameters in
	77	`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
	78	containing DH parameters in PEM format, for example
	79
	80	DHPARAMS="/path/to/dhparams.pem"
	81
	82	If this option is not set, the built-in `skip2048` parameters will be
	83	used.
	84
	85	NOTE: DH parameters are only used if a cipher suite utilizing the DH key
	86	exchange algorithm is negotiated.
	87
	88	Alternative HTTPS certificate
	89	-----------------------------
	90
	91	By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem`
	92	(and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections.
	93	This certificate is signed by the cluster CA certificate, and therefor
	94	not trusted by browsers and operating systems by default.
	95
	96	In order to use a different certificate and private key for HTTPS,
	97	store the server certificate and any needed intermediate / CA
	98	certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem`
	99	and the associated private key in PEM format without a password in the
	100	file `/etc/pve/local/pveproxy-ssl.key`.
	101
	102	WARNING: Do not replace the automatically generated node certificate
	103	files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or
	104	the cluster CA files in `/etc/pve/pve-root-ca.pem` and
	105	`/etc/pve/priv/pve-root-ca.key`.
	106
	107	NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates
	108	on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki],
	109	including setup instructions for obtaining certificates from the popular free
	110	Let's Encrypt certificate authority.
	111
	112	ifdef::manvolnum[]
	113	include::pve-copyright.adoc[]
	114	endif::manvolnum[]