| 1 | ifdef::manvolnum[] |
| 2 | PVE({manvolnum}) |
| 3 | ================ |
| 4 | include::attributes.txt[] |
| 5 | |
| 6 | NAME |
| 7 | ---- |
| 8 | |
| 9 | pveproxy - PVE API Proxy Daemon |
| 10 | |
| 11 | |
| 12 | SYNOPSYS |
| 13 | -------- |
| 14 | |
| 15 | include::pveproxy.8-synopsis.adoc[] |
| 16 | |
| 17 | DESCRIPTION |
| 18 | ----------- |
| 19 | endif::manvolnum[] |
| 20 | |
| 21 | ifndef::manvolnum[] |
| 22 | {pve} API Proxy Daemon |
| 23 | ====================== |
| 24 | include::attributes.txt[] |
| 25 | endif::manvolnum[] |
| 26 | |
| 27 | This daemon exposes the whole {pve} API on TCP port 8006 using |
| 28 | HTTPS. It runs as user 'www-data' and has very limited permissions. |
| 29 | Operation requiring more permissions are forwarded to the local |
| 30 | 'pvedaemon'. |
| 31 | |
| 32 | Requests targeted for other nodes are automatically forwarded to those |
| 33 | nodes. This means that you can manage your whole cluster by connecting |
| 34 | to a single {pve} node. |
| 35 | |
| 36 | Host based Access Control |
| 37 | ------------------------- |
| 38 | |
| 39 | It is possible to configure "apache2" like access control |
| 40 | lists. Values are read from file '/etc/default/pveproxy'. For example: |
| 41 | |
| 42 | ---- |
| 43 | ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" |
| 44 | DENY_FROM="all" |
| 45 | POLICY="allow" |
| 46 | ---- |
| 47 | |
| 48 | IP addresses can be specified using any syntax understood by `Net::IP`. The |
| 49 | name 'all' is an alias for '0/0'. |
| 50 | |
| 51 | The default policy is 'allow'. |
| 52 | |
| 53 | [width="100%",options="header"] |
| 54 | |=========================================================== |
| 55 | | Match | POLICY=deny | POLICY=allow |
| 56 | | Match Allow only | allow | allow |
| 57 | | Match Deny only | deny | deny |
| 58 | | No match | deny | allow |
| 59 | | Match Both Allow & Deny | deny | allow |
| 60 | |=========================================================== |
| 61 | |
| 62 | |
| 63 | SSL Cipher Suite |
| 64 | ---------------- |
| 65 | |
| 66 | You can define the cipher list in '/etc/default/pveproxy', for example |
| 67 | |
| 68 | CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" |
| 69 | |
| 70 | Above is the default. See the ciphers(1) man page from the openssl |
| 71 | package for a list of all available options. |
| 72 | |
| 73 | |
| 74 | Diffie-Hellman Parameters |
| 75 | ------------------------- |
| 76 | |
| 77 | You can define the used Diffie-Hellman parameters in |
| 78 | '/etc/default/pveproxy' by setting `DHPARAMS` to the path of a file |
| 79 | containing DH parameters in PEM format, for example |
| 80 | |
| 81 | DHPARAMS="/path/to/dhparams.pem" |
| 82 | |
| 83 | If this option is not set, the built-in 'skip2048' parameters will be |
| 84 | used. |
| 85 | |
| 86 | NOTE: DH parameters are only used if a cipher suite utilizing the DH key |
| 87 | exchange algorithm is negotiated. |
| 88 | |
| 89 | Alternative HTTPS certificate |
| 90 | ----------------------------- |
| 91 | |
| 92 | By default, pveproxy uses the certificate '/etc/pve/local/pve-ssl.pem' |
| 93 | (and private key '/etc/pve/local/pve-ssl.key') for HTTPS connections. |
| 94 | This certificate is signed by the cluster CA certificate, and therefor |
| 95 | not trusted by browsers and operating systems by default. |
| 96 | |
| 97 | In order to use a different certificate and private key for HTTPS, |
| 98 | store the server certificate and any needed intermediate / CA |
| 99 | certificates in PEM format in the file '/etc/pve/local/pveproxy-ssl.pem' |
| 100 | and the associated private key in PEM format without a password in the |
| 101 | file '/etc/pve/local/pveproxy-ssl.key'. |
| 102 | |
| 103 | WARNING: Do not replace the automatically generated node certificate |
| 104 | files in '/etc/pve/local/pve-ssl.pem'/'etc/pve/local/pve-ssl.key' or |
| 105 | the cluster CA files in '/etc/pve/pve-root-ca.pem'/'/etc/pve/priv/pve-root-ca.key'. |
| 106 | |
| 107 | ifdef::manvolnum[] |
| 108 | include::pve-copyright.adoc[] |
| 109 | endif::manvolnum[] |