pveproxy.adoc

   1 ifdef::manvolnum[]
   2 pveproxy(8)
   3 ===========
   4 :pve-toplevel:
   5
   6 NAME
   7 ----
   8
   9 pveproxy - PVE API Proxy Daemon
  10
  11
  12 SYNOPSIS
  13 --------
  14
  15 include::pveproxy.8-synopsis.adoc[]
  16
  17 DESCRIPTION
  18 -----------
  19 endif::manvolnum[]
  20
  21 ifndef::manvolnum[]
  22 pveproxy - Proxmox VE API Proxy Daemon
  23 ======================================
  24 endif::manvolnum[]
  25
  26 This daemon exposes the whole {pve} API on TCP port 8006 using
  27 HTTPS. It runs as user `www-data` and has very limited permissions.
  28 Operation requiring more permissions are forwarded to the local
  29 `pvedaemon`.
  30
  31 Requests targeted for other nodes are automatically forwarded to those
  32 nodes. This means that you can manage your whole cluster by connecting
  33 to a single {pve} node.
  34
  35 Host based Access Control
  36 -------------------------
  37
  38 It is possible to configure ``apache2''-like access control
  39 lists. Values are read from file `/etc/default/pveproxy`. For example:
  40
  41 ----
  42 ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
  43 DENY_FROM="all"
  44 POLICY="allow"
  45 ----
  46
  47 IP addresses can be specified using any syntax understood by `Net::IP`. The
  48 name `all` is an alias for `0/0`.
  49
  50 The default policy is `allow`.
  51
  52 [width="100%",options="header"]
  53 |===========================================================
  54 | Match                      | POLICY=deny | POLICY=allow
  55 | Match Allow only           | allow       | allow
  56 | Match Deny only            | deny        | deny
  57 | No match                   | deny        | allow
  58 | Match Both Allow & Deny    | deny        | allow
  59 |===========================================================
  60
  61
  62 SSL Cipher Suite
  63 ----------------
  64
  65 You can define the cipher list in `/etc/default/pveproxy`, for example
  66
  67  CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
  68
  69 Above is the default. See the ciphers(1) man page from the openssl
  70 package for a list of all available options.
  71
  72 Additionally you can define that the client choses the used cipher in
  73 `/etc/default/pveproxy` (default is the first cipher in the list available to
  74 both client and `pveproxy`):
  75
  76  HONOR_CIPHER_ORDER=0
  77
  78
  79 Diffie-Hellman Parameters
  80 -------------------------
  81
  82 You can define the used Diffie-Hellman parameters in
  83 `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
  84 containing DH parameters in PEM format, for example
  85
  86  DHPARAMS="/path/to/dhparams.pem"
  87
  88 If this option is not set, the built-in `skip2048` parameters will be
  89 used.
  90
  91 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
  92 exchange algorithm is negotiated.
  93
  94 Alternative HTTPS certificate
  95 -----------------------------
  96
  97 You can change the certificate used to an external one or to one obtained via
  98 ACME.
  99
 100 pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
 101 `/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
 102 `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
 103 The private key may not use a passphrase.
 104
 105 See the Host System Administration chapter of the documentation for details.
 106
 107 COMPRESSION
 108 -----------
 109
 110 By default `pveproxy` uses gzip HTTP-level compression for compressible
 111 content, if the client supports it. This can disabled in `/etc/default/pveproxy`
 112
 113  COMPRESSION=0
 114
 115 ifdef::manvolnum[]
 116 include::pve-copyright.adoc[]
 117 endif::manvolnum[]