9 pveproxy - PVE API Proxy Daemon
15 include::pveproxy.8-synopsis.adoc[]
22 pveproxy - Proxmox VE API Proxy Daemon
23 ======================================
26 This daemon exposes the whole {pve} API on TCP port 8006 using
27 HTTPS. It runs as user `www-data` and has very limited permissions.
28 Operation requiring more permissions are forwarded to the local
31 Requests targeted for other nodes are automatically forwarded to those
32 nodes. This means that you can manage your whole cluster by connecting
33 to a single {pve} node.
35 Host based Access Control
36 -------------------------
38 It is possible to configure ``apache2''-like access control
39 lists. Values are read from file `/etc/default/pveproxy`. For example:
42 ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
47 IP addresses can be specified using any syntax understood by `Net::IP`. The
48 name `all` is an alias for `0/0`.
50 The default policy is `allow`.
52 [width="100%",options="header"]
53 |===========================================================
54 | Match | POLICY=deny | POLICY=allow
55 | Match Allow only | allow | allow
56 | Match Deny only | deny | deny
57 | No match | deny | allow
58 | Match Both Allow & Deny | deny | allow
59 |===========================================================
65 By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP
66 address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to
67 be configured on the system.
69 This can be used to listen only to an internal interface and thus have less
70 exposure to the public internet:
76 Similarly, you can also set an IPv6 address:
79 LISTEN_IP="2001:db8:85a3::1"
82 WARNING: The nodes in a cluster need access to `pveproxy` for communication,
83 possibly on different sub-nets. It is **not recommended** to set `LISTEN_IP` on
89 You can define the cipher list in `/etc/default/pveproxy`, for example
91 CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
93 Above is the default. See the ciphers(1) man page from the openssl
94 package for a list of all available options.
96 Additionally you can define that the client choses the used cipher in
97 `/etc/default/pveproxy` (default is the first cipher in the list available to
98 both client and `pveproxy`):
103 Diffie-Hellman Parameters
104 -------------------------
106 You can define the used Diffie-Hellman parameters in
107 `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
108 containing DH parameters in PEM format, for example
110 DHPARAMS="/path/to/dhparams.pem"
112 If this option is not set, the built-in `skip2048` parameters will be
115 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
116 exchange algorithm is negotiated.
118 Alternative HTTPS certificate
119 -----------------------------
121 You can change the certificate used to an external one or to one obtained via
124 pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
125 `/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
126 `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
127 The private key may not use a passphrase.
129 See the Host System Administration chapter of the documentation for details.
134 By default `pveproxy` uses gzip HTTP-level compression for compressible
135 content, if the client supports it. This can disabled in `/etc/default/pveproxy`
140 include::pve-copyright.adoc[]