[pve-docs.git] / pveproxy.adoc

ifdef::manvolnum[]
pveproxy(8)
===========
:pve-toplevel:

NAME
----

pveproxy - PVE API Proxy Daemon


SYNOPSIS
--------

include::pveproxy.8-synopsis.adoc[]

DESCRIPTION
-----------
endif::manvolnum[]

ifndef::manvolnum[]
pveproxy - Proxmox VE API Proxy Daemon
======================================
endif::manvolnum[]

This daemon exposes the whole {pve} API on TCP port 8006 using
HTTPS. It runs as user `www-data` and has very limited permissions.
Operation requiring more permissions are forwarded to the local
`pvedaemon`.

Requests targeted for other nodes are automatically forwarded to those
nodes. This means that you can manage your whole cluster by connecting
to a single {pve} node.

Host based Access Control
-------------------------

It is possible to configure ``apache2''-like access control
lists. Values are read from file `/etc/default/pveproxy`. For example:

----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
----

IP addresses can be specified using any syntax understood by `Net::IP`. The
name `all` is an alias for `0/0`.

The default policy is `allow`.

[width="100%",options="header"]
|===========================================================
| Match                      | POLICY=deny | POLICY=allow
| Match Allow only           | allow       | allow
| Match Deny only            | deny        | deny
| No match                   | deny        | allow
| Match Both Allow & Deny    | deny        | allow
|===========================================================


SSL Cipher Suite
----------------

You can define the cipher list in `/etc/default/pveproxy`, for example

 CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.

Additionally you can define that the client choses the used cipher in
`/etc/default/pveproxy` (default is the first cipher in the list available to
both client and `pveproxy`):

 HONOR_CIPHER_ORDER=0


Diffie-Hellman Parameters
-------------------------

You can define the used Diffie-Hellman parameters in
`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
containing DH parameters in PEM format, for example

 DHPARAMS="/path/to/dhparams.pem"

If this option is not set, the built-in `skip2048` parameters will be
used.

NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.

Alternative HTTPS certificate
-----------------------------

You can change the certificate used to an external one or to one obtained via
ACME.

pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
The private key may not use a passphrase.

See the Host System Administration chapter of the documentation for details.

COMPRESSION
-----------

By default `pveproxy` uses gzip HTTP-level compression for compressible
content, if the client supports it. This can disabled in `/etc/default/pveproxy`

 COMPRESSION=0

ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
Commit	Line	Data
	1	ifdef::manvolnum[]
	2	pveproxy(8)
	3	===========
	4	:pve-toplevel:
	5
	6	NAME
	7	----
	8
	9	pveproxy - PVE API Proxy Daemon
	10
	11
	12	SYNOPSIS
	13	--------
	14
	15	include::pveproxy.8-synopsis.adoc[]
	16
	17	DESCRIPTION
	18	-----------
	19	endif::manvolnum[]
	20
	21	ifndef::manvolnum[]
	22	pveproxy - Proxmox VE API Proxy Daemon
	23	======================================
	24	endif::manvolnum[]
	25
	26	This daemon exposes the whole {pve} API on TCP port 8006 using
	27	HTTPS. It runs as user `www-data` and has very limited permissions.
	28	Operation requiring more permissions are forwarded to the local
	29	`pvedaemon`.
	30
	31	Requests targeted for other nodes are automatically forwarded to those
	32	nodes. This means that you can manage your whole cluster by connecting
	33	to a single {pve} node.
	34
	35	Host based Access Control
	36	-------------------------
	37
	38	It is possible to configure ``apache2''-like access control
	39	lists. Values are read from file `/etc/default/pveproxy`. For example:
	40
	41	----
	42	ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
	43	DENY_FROM="all"
	44	POLICY="allow"
	45	----
	46
	47	IP addresses can be specified using any syntax understood by `Net::IP`. The
	48	name `all` is an alias for `0/0`.
	49
	50	The default policy is `allow`.
	51
	52	[width="100%",options="header"]
	53	\|===========================================================
	54	\| Match \| POLICY=deny \| POLICY=allow
	55	\| Match Allow only \| allow \| allow
	56	\| Match Deny only \| deny \| deny
	57	\| No match \| deny \| allow
	58	\| Match Both Allow & Deny \| deny \| allow
	59	\|===========================================================
	60
	61
	62	SSL Cipher Suite
	63	----------------
	64
	65	You can define the cipher list in `/etc/default/pveproxy`, for example
	66
	67	CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
	68
	69	Above is the default. See the ciphers(1) man page from the openssl
	70	package for a list of all available options.
	71
	72	Additionally you can define that the client choses the used cipher in
	73	`/etc/default/pveproxy` (default is the first cipher in the list available to
	74	both client and `pveproxy`):
	75
	76	HONOR_CIPHER_ORDER=0
	77
	78
	79	Diffie-Hellman Parameters
	80	-------------------------
	81
	82	You can define the used Diffie-Hellman parameters in
	83	`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
	84	containing DH parameters in PEM format, for example
	85
	86	DHPARAMS="/path/to/dhparams.pem"
	87
	88	If this option is not set, the built-in `skip2048` parameters will be
	89	used.
	90
	91	NOTE: DH parameters are only used if a cipher suite utilizing the DH key
	92	exchange algorithm is negotiated.
	93
	94	Alternative HTTPS certificate
	95	-----------------------------
	96
	97	You can change the certificate used to an external one or to one obtained via
	98	ACME.
	99
	100	pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
	101	`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
	102	`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
	103	The private key may not use a passphrase.
	104
	105	See the Host System Administration chapter of the documentation for details.
	106
	107	COMPRESSION
	108	-----------
	109
	110	By default `pveproxy` uses gzip HTTP-level compression for compressible
	111	content, if the client supports it. This can disabled in `/etc/default/pveproxy`
	112
	113	COMPRESSION=0
	114
	115	ifdef::manvolnum[]
	116	include::pve-copyright.adoc[]
	117	endif::manvolnum[]