[pve-docs.git] / pveproxy.adoc

ifdef::manvolnum[]
PVE({manvolnum})
================
include::attributes.txt[]

NAME
----

pveproxy - PVE API Proxy Daemon


SYNOPSYS
--------

include::pveproxy.8-synopsis.adoc[]

DESCRIPTION
-----------
endif::manvolnum[]

ifndef::manvolnum[]
{pve} API Proxy Daemon
======================
include::attributes.txt[]
endif::manvolnum[]

This daemon exposes the whole {pve} API on TCP port 8006 using
HTTPS. It runs as user 'www-data' and has very limited permissions.
Operation requiring more permissions are forwarded to the local
'pvedaemon'.

Requests targeted for other nodes are automatically forwarded to those
nodes. This means that you can manage your whole cluster by connecting
to a single {pve} node.

Host based Access Control
-------------------------

It is possible to configure "apache2" like access control
lists. Values are read from file '/etc/default/pveproxy'. For example:

----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
----

IP addresses can be specified using any syntax understood by `Net::IP`. The
name 'all' is an alias for '0/0'.

The default policy is 'allow'.

[width="100%",options="header"]
|===========================================================
| Match                      | POLICY=deny | POLICY=allow
| Match Allow only           | allow       | allow
| Match Deny only            | deny        | deny
| No match                   | deny        | allow
| Match Both Allow & Deny    | deny        | allow
|===========================================================


SSL Cipher Suite
----------------

You can define the cipher list in '/etc/default/pveproxy', for example

 CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"

Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.


Diffie-Hellman Parameters
-------------------------

You can define the used Diffie-Hellman parameters in
'/etc/default/pveproxy' by setting `DHPARAMS` to the path of a file
containing DH parameters in PEM format, for example

 DHPARAMS="/path/to/dhparams.pem"

If this option is not set, the built-in 'skip2048' parameters will be
used.

NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.


ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
Commit	Line	Data
	1	ifdef::manvolnum[]
	2	PVE({manvolnum})
	3	================
	4	include::attributes.txt[]
	5
	6	NAME
	7	----
	8
	9	pveproxy - PVE API Proxy Daemon
	10
	11
	12	SYNOPSYS
	13	--------
	14
	15	include::pveproxy.8-synopsis.adoc[]
	16
	17	DESCRIPTION
	18	-----------
	19	endif::manvolnum[]
	20
	21	ifndef::manvolnum[]
	22	{pve} API Proxy Daemon
	23	======================
	24	include::attributes.txt[]
	25	endif::manvolnum[]
	26
	27	This daemon exposes the whole {pve} API on TCP port 8006 using
	28	HTTPS. It runs as user 'www-data' and has very limited permissions.
	29	Operation requiring more permissions are forwarded to the local
	30	'pvedaemon'.
	31
	32	Requests targeted for other nodes are automatically forwarded to those
	33	nodes. This means that you can manage your whole cluster by connecting
	34	to a single {pve} node.
	35
	36	Host based Access Control
	37	-------------------------
	38
	39	It is possible to configure "apache2" like access control
	40	lists. Values are read from file '/etc/default/pveproxy'. For example:
	41
	42	----
	43	ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
	44	DENY_FROM="all"
	45	POLICY="allow"
	46	----
	47
	48	IP addresses can be specified using any syntax understood by `Net::IP`. The
	49	name 'all' is an alias for '0/0'.
	50
	51	The default policy is 'allow'.
	52
	53	[width="100%",options="header"]
	54	\|===========================================================
	55	\| Match \| POLICY=deny \| POLICY=allow
	56	\| Match Allow only \| allow \| allow
	57	\| Match Deny only \| deny \| deny
	58	\| No match \| deny \| allow
	59	\| Match Both Allow & Deny \| deny \| allow
	60	\|===========================================================
	61
	62
	63	SSL Cipher Suite
	64	----------------
	65
	66	You can define the cipher list in '/etc/default/pveproxy', for example
	67
	68	CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
	69
	70	Above is the default. See the ciphers(1) man page from the openssl
	71	package for a list of all available options.
	72
	73
	74	Diffie-Hellman Parameters
	75	-------------------------
	76
	77	You can define the used Diffie-Hellman parameters in
	78	'/etc/default/pveproxy' by setting `DHPARAMS` to the path of a file
	79	containing DH parameters in PEM format, for example
	80
	81	DHPARAMS="/path/to/dhparams.pem"
	82
	83	If this option is not set, the built-in 'skip2048' parameters will be
	84	used.
	85
	86	NOTE: DH parameters are only used if a cipher suite utilizing the DH key
	87	exchange algorithm is negotiated.
	88
	89
	90	ifdef::manvolnum[]
	91	include::pve-copyright.adoc[]
	92	endif::manvolnum[]