pveproxy.adoc

   1 ifdef::manvolnum[]
   2 pveproxy(8)
   3 ===========
   4 :pve-toplevel:
   5
   6 NAME
   7 ----
   8
   9 pveproxy - PVE API Proxy Daemon
  10
  11
  12 SYNOPSIS
  13 --------
  14
  15 include::pveproxy.8-synopsis.adoc[]
  16
  17 DESCRIPTION
  18 -----------
  19 endif::manvolnum[]
  20
  21 ifndef::manvolnum[]
  22 pveproxy - Proxmox VE API Proxy Daemon
  23 ======================================
  24 endif::manvolnum[]
  25
  26 This daemon exposes the whole {pve} API on TCP port 8006 using
  27 HTTPS. It runs as user `www-data` and has very limited permissions.
  28 Operation requiring more permissions are forwarded to the local
  29 `pvedaemon`.
  30
  31 Requests targeted for other nodes are automatically forwarded to those
  32 nodes. This means that you can manage your whole cluster by connecting
  33 to a single {pve} node.
  34
  35 Host based Access Control
  36 -------------------------
  37
  38 It is possible to configure ``apache2''-like access control
  39 lists. Values are read from file `/etc/default/pveproxy`. For example:
  40
  41 ----
  42 ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
  43 DENY_FROM="all"
  44 POLICY="allow"
  45 ----
  46
  47 IP addresses can be specified using any syntax understood by `Net::IP`. The
  48 name `all` is an alias for `0/0`.
  49
  50 The default policy is `allow`.
  51
  52 [width="100%",options="header"]
  53 |===========================================================
  54 | Match                      | POLICY=deny | POLICY=allow
  55 | Match Allow only           | allow       | allow
  56 | Match Deny only            | deny        | deny
  57 | No match                   | deny        | allow
  58 | Match Both Allow & Deny    | deny        | allow
  59 |===========================================================
  60
  61
  62 SSL Cipher Suite
  63 ----------------
  64
  65 You can define the cipher list in `/etc/default/pveproxy`, for example
  66
  67  CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
  68
  69 Above is the default. See the ciphers(1) man page from the openssl
  70 package for a list of all available options.
  71
  72
  73 Diffie-Hellman Parameters
  74 -------------------------
  75
  76 You can define the used Diffie-Hellman parameters in
  77 `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
  78 containing DH parameters in PEM format, for example
  79
  80  DHPARAMS="/path/to/dhparams.pem"
  81
  82 If this option is not set, the built-in `skip2048` parameters will be
  83 used.
  84
  85 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
  86 exchange algorithm is negotiated.
  87
  88 Alternative HTTPS certificate
  89 -----------------------------
  90
  91 By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem`
  92 (and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections.
  93 This certificate is signed by the cluster CA certificate, and therefor
  94 not trusted by browsers and operating systems by default.
  95
  96 In order to use a different certificate and private key for HTTPS,
  97 store the server certificate and any needed intermediate / CA
  98 certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem`
  99 and the associated private key in PEM format without a password in the
 100 file `/etc/pve/local/pveproxy-ssl.key`.
 101
 102 WARNING: Do not replace the automatically generated node certificate
 103 files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or
 104 the cluster CA files in `/etc/pve/pve-root-ca.pem` and
 105 `/etc/pve/priv/pve-root-ca.key`.
 106
 107 NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates
 108 on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki],
 109 including setup instructions for obtaining certificates from the popular free
 110 Let's Encrypt certificate authority.
 111
 112 ifdef::manvolnum[]
 113 include::pve-copyright.adoc[]
 114 endif::manvolnum[]