pveproxy.adoc

   1 ifdef::manvolnum[]
   2 pveproxy(8)
   3 ===========
   4 :pve-toplevel:
   5
   6 NAME
   7 ----
   8
   9 pveproxy - PVE API Proxy Daemon
  10
  11
  12 SYNOPSIS
  13 --------
  14
  15 include::pveproxy.8-synopsis.adoc[]
  16
  17 DESCRIPTION
  18 -----------
  19 endif::manvolnum[]
  20
  21 ifndef::manvolnum[]
  22 pveproxy - Proxmox VE API Proxy Daemon
  23 ======================================
  24 endif::manvolnum[]
  25
  26 This daemon exposes the whole {pve} API on TCP port 8006 using
  27 HTTPS. It runs as user `www-data` and has very limited permissions.
  28 Operation requiring more permissions are forwarded to the local
  29 `pvedaemon`.
  30
  31 Requests targeted for other nodes are automatically forwarded to those
  32 nodes. This means that you can manage your whole cluster by connecting
  33 to a single {pve} node.
  34
  35 Host based Access Control
  36 -------------------------
  37
  38 It is possible to configure ``apache2''-like access control
  39 lists. Values are read from file `/etc/default/pveproxy`. For example:
  40
  41 ----
  42 ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
  43 DENY_FROM="all"
  44 POLICY="allow"
  45 ----
  46
  47 IP addresses can be specified using any syntax understood by `Net::IP`. The
  48 name `all` is an alias for `0/0`.
  49
  50 The default policy is `allow`.
  51
  52 [width="100%",options="header"]
  53 |===========================================================
  54 | Match                      | POLICY=deny | POLICY=allow
  55 | Match Allow only           | allow       | allow
  56 | Match Deny only            | deny        | deny
  57 | No match                   | deny        | allow
  58 | Match Both Allow & Deny    | deny        | allow
  59 |===========================================================
  60
  61
  62 SSL Cipher Suite
  63 ----------------
  64
  65 You can define the cipher list in `/etc/default/pveproxy`, for example
  66
  67  CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
  68
  69 Above is the default. See the ciphers(1) man page from the openssl
  70 package for a list of all available options.
  71
  72
  73 Diffie-Hellman Parameters
  74 -------------------------
  75
  76 You can define the used Diffie-Hellman parameters in
  77 `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
  78 containing DH parameters in PEM format, for example
  79
  80  DHPARAMS="/path/to/dhparams.pem"
  81
  82 If this option is not set, the built-in `skip2048` parameters will be
  83 used.
  84
  85 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
  86 exchange algorithm is negotiated.
  87
  88 Alternative HTTPS certificate
  89 -----------------------------
  90
  91 You can change the certificate used, to an external one or to one obtained via
  92 ACME.
  93
  94 pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
  95 `/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
  96 `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
  97 The private key may not use a passphrase.
  98
  99 See the Host System Administration chapter of the documentation for details.
 100
 101 ifdef::manvolnum[]
 102 include::pve-copyright.adoc[]
 103 endif::manvolnum[]