pveproxy.adoc

   1 ifdef::manvolnum[]
   2 PVE({manvolnum})
   3 ================
   4 include::attributes.txt[]
   5
   6 NAME
   7 ----
   8
   9 pveproxy - PVE API Proxy Daemon
  10
  11
  12 SYNOPSYS
  13 --------
  14
  15 include::pveproxy.8-synopsis.adoc[]
  16
  17 DESCRIPTION
  18 -----------
  19 endif::manvolnum[]
  20
  21 ifndef::manvolnum[]
  22 {pve} API Proxy Daemon
  23 ======================
  24 include::attributes.txt[]
  25 endif::manvolnum[]
  26
  27 This daemon exposes the whole {pve} API on TCP port 8006 using
  28 HTTPS. It runs as user 'www-data' and has very limited permissions.
  29 Operation requiring more permissions are forwarded to the local
  30 'pvedaemon'.
  31
  32 Requests targeted for other nodes are automatically forwarded to those
  33 nodes. This means that you can manage your whole cluster by connecting
  34 to a single {pve} node.
  35
  36 Host based Access Control
  37 -------------------------
  38
  39 It is possible to configure "apache2" like access control
  40 lists. Values are read from file '/etc/default/pveproxy'. For example:
  41
  42 ----
  43 ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
  44 DENY_FROM="all"
  45 POLICY="allow"
  46 ----
  47
  48 IP addresses can be specified using any syntax understood by `Net::IP`. The
  49 name 'all' is an alias for '0/0'.
  50
  51 The default policy is 'allow'.
  52
  53 [width="100%",options="header"]
  54 |===========================================================
  55 | Match                      | POLICY=deny | POLICY=allow
  56 | Match Allow only           | allow       | allow
  57 | Match Deny only            | deny        | deny
  58 | No match                   | deny        | allow
  59 | Match Both Allow & Deny    | deny        | allow
  60 |===========================================================
  61
  62
  63 SSL Cipher Suite
  64 ----------------
  65
  66 You can define the cipher list in '/etc/default/pveproxy', for example
  67
  68  CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
  69
  70 Above is the default. See the ciphers(1) man page from the openssl
  71 package for a list of all available options.
  72
  73
  74 Diffie-Hellman Parameters
  75 -------------------------
  76
  77 You can define the used Diffie-Hellman parameters in
  78 '/etc/default/pveproxy' by setting `DHPARAMS` to the path of a file
  79 containing DH parameters in PEM format, for example
  80
  81  DHPARAMS="/path/to/dhparams.pem"
  82
  83 If this option is not set, the built-in 'skip2048' parameters will be
  84 used.
  85
  86 NOTE: DH parameters are only used if a cipher suite utilizing the DH key
  87 exchange algorithm is negotiated.
  88
  89 Alternative HTTPS certificate
  90 -----------------------------
  91
  92 By default, pveproxy uses the certificate '/etc/pve/local/pve-ssl.pem'
  93 (and private key '/etc/pve/local/pve-ssl.key') for HTTPS connections.
  94 This certificate is signed by the cluster CA certificate, and therefor
  95 not trusted by browsers and operating systems by default.
  96
  97 In order to use a different certificate and private key for HTTPS,
  98 store the server certificate and any needed intermediate / CA
  99 certificates in PEM format in the file '/etc/pve/local/pveproxy-ssl.pem'
 100 and the associated private key in PEM format without a password in the
 101 file '/etc/pve/local/pveproxy-ssl.key'.
 102
 103 WARNING: Do not replace the automatically generated node certificate
 104 files in '/etc/pve/local/pve-ssl.pem'/'etc/pve/local/pve-ssl.key' or
 105 the cluster CA files in '/etc/pve/pve-root-ca.pem'/'/etc/pve/priv/pve-root-ca.key'.
 106
 107 ifdef::manvolnum[]
 108 include::pve-copyright.adoc[]
 109 endif::manvolnum[]