pveproxy.adoc

   1 ifdef::manvolnum[]
   2 pveproxy(8)
   3 ===========
   4 include::attributes.txt[]
   5 :pve-toplevel:
   6
   7 NAME
   8 ----
   9
  10 pveproxy - PVE API Proxy Daemon
  11
  12
  13 SYNOPSIS
  14 --------
  15
  16 include::pveproxy.8-synopsis.adoc[]
  17
  18 DESCRIPTION
  19 -----------
  20 endif::manvolnum[]
  21
  22 ifndef::manvolnum[]
  23 pveproxy - Proxmox VE API Proxy Daemon
  24 ======================================
  25 include::attributes.txt[]
  26 endif::manvolnum[]
  27
  28 This daemon exposes the whole {pve} API on TCP port 8006 using
  29 HTTPS. It runs as user `www-data` and has very limited permissions.
  30 Operation requiring more permissions are forwarded to the local
  31 `pvedaemon`.
  32
  33 Requests targeted for other nodes are automatically forwarded to those
  34 nodes. This means that you can manage your whole cluster by connecting
  35 to a single {pve} node.
  36
  37 Host based Access Control
  38 -------------------------
  39
  40 It is possible to configure ``apache2''-like access control
  41 lists. Values are read from file `/etc/default/pveproxy`. For example:
  42
  43 ----
  44 ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
  45 DENY_FROM="all"
  46 POLICY="allow"
  47 ----
  48
  49 IP addresses can be specified using any syntax understood by `Net::IP`. The
  50 name `all` is an alias for `0/0`.
  51
  52 The default policy is `allow`.
  53
  54 [width="100%",options="header"]
  55 |===========================================================
  56 | Match                      | POLICY=deny | POLICY=allow
  57 | Match Allow only           | allow       | allow
  58 | Match Deny only            | deny        | deny
  59 | No match                   | deny        | allow
  60 | Match Both Allow & Deny    | deny        | allow
  61 |===========================================================
  62
  63
  64 SSL Cipher Suite
  65 ----------------
  66
  67 You can define the cipher list in `/etc/default/pveproxy`, for example
  68
  69  CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
  70
  71 Above is the default. See the ciphers(1) man page from the openssl
  72 package for a list of all available options.
  73
  74
  75 Diffie-Hellman Parameters
  76 -------------------------
  77
  78 You can define the used Diffie-Hellman parameters in
  79 `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
  80 containing DH parameters in PEM format, for example
  81
  82  DHPARAMS="/path/to/dhparams.pem"
  83
  84 If this option is not set, the built-in `skip2048` parameters will be
  85 used.
  86
  87 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
  88 exchange algorithm is negotiated.
  89
  90 Alternative HTTPS certificate
  91 -----------------------------
  92
  93 By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem`
  94 (and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections.
  95 This certificate is signed by the cluster CA certificate, and therefor
  96 not trusted by browsers and operating systems by default.
  97
  98 In order to use a different certificate and private key for HTTPS,
  99 store the server certificate and any needed intermediate / CA
 100 certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem`
 101 and the associated private key in PEM format without a password in the
 102 file `/etc/pve/local/pveproxy-ssl.key`.
 103
 104 WARNING: Do not replace the automatically generated node certificate
 105 files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or
 106 the cluster CA files in `/etc/pve/pve-root-ca.pem` and
 107 `/etc/pve/priv/pve-root-ca.key`.
 108
 109 NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates
 110 on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki],
 111 including setup instructions for obtaining certificates from the popular free
 112 Let's Encrypt certificate authority.
 113
 114 ifdef::manvolnum[]
 115 include::pve-copyright.adoc[]
 116 endif::manvolnum[]