ifdef::manvolnum[] pveproxy(8) =========== :pve-toplevel: NAME ---- pveproxy - PVE API Proxy Daemon SYNOPSIS -------- include::pveproxy.8-synopsis.adoc[] DESCRIPTION ----------- endif::manvolnum[] ifndef::manvolnum[] pveproxy - Proxmox VE API Proxy Daemon ====================================== endif::manvolnum[] This daemon exposes the whole {pve} API on TCP port 8006 using HTTPS. It runs as user `www-data` and has very limited permissions. Operation requiring more permissions are forwarded to the local `pvedaemon`. Requests targeted for other nodes are automatically forwarded to those nodes. This means that you can manage your whole cluster by connecting to a single {pve} node. [[pveproxy_host_acls]] Host based Access Control ------------------------- It is possible to configure ``apache2''-like access control lists. Values are read from file `/etc/default/pveproxy`. For example: ---- ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" DENY_FROM="all" POLICY="allow" ---- IP addresses can be specified using any syntax understood by `Net::IP`. The name `all` is an alias for `0/0` and `::/0` (meaning all IPv4 and IPv6 addresses). The default policy is `allow`. [width="100%",options="header"] |=========================================================== | Match | POLICY=deny | POLICY=allow | Match Allow only | allow | allow | Match Deny only | deny | deny | No match | deny | allow | Match Both Allow & Deny | deny | allow |=========================================================== [[pveproxy_listening_address]] Listening IP Address -------------------- By default the `pveproxy` and `spiceproxy` daemons listen on the wildcard address and accept connections from both IPv4 and IPv6 clients. By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to be configured on the system. Setting the `sysctl` `net.ipv6.bindv6only` to the non-default `1` will cause the daemons to only accept connection from IPv6 clients, while usually also causing lots of other issues. If you set this configuration we recommend to either remove the `sysctl` setting, or set the `LISTEN_IP` to `0.0.0.0` (which will only allow IPv4 clients). `LISTEN_IP` can be used to only to restricting the socket to an internal interface and thus have less exposure to the public internet, for example: ---- LISTEN_IP="192.0.2.1" ---- Similarly, you can also set an IPv6 address: ---- LISTEN_IP="2001:db8:85a3::1" ---- Note that if you want to specify a link-local IPv6 address, you need to provide the interface name itself. For example: ---- LISTEN_IP="fe80::c463:8cff:feb9:6a4e%vmbr0" ---- WARNING: The nodes in a cluster need access to `pveproxy` for communication, possibly on different sub-nets. It is **not recommended** to set `LISTEN_IP` on clustered systems. To apply the change you need to either reboot your node or fully restart the `pveproxy` and `spiceproxy` service: ---- systemctl restart pveproxy.service spiceproxy.service ---- NOTE: Unlike `reload`, a `restart` of the pveproxy service can interrupt some long-running worker processes, for example a running console or shell from a virtual guest. So, please use a maintenance window to bring this change in effect. SSL Cipher Suite ---------------- You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS` (TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" Above is the default. See the ciphers(1) man page from the openssl package for a list of all available options. Additionally, you can set the client to choose the cipher used in `/etc/default/pveproxy` (default is the first cipher in the list available to both client and `pveproxy`): HONOR_CIPHER_ORDER=0 Supported TLS versions ---------------------- The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy. TLS versions below 1.1 are disabled by default on recent OpenSSL versions, which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`). To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pveproxy`: DISABLE_TLS_1_2=1 or, respectively: DISABLE_TLS_1_3=1 NOTE: Unless there is a specific reason to do so, it is not recommended to manually adjust the supported TLS versions. Diffie-Hellman Parameters ------------------------- You can define the used Diffie-Hellman parameters in `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file containing DH parameters in PEM format, for example DHPARAMS="/path/to/dhparams.pem" If this option is not set, the built-in `skip2048` parameters will be used. NOTE: DH parameters are only used if a cipher suite utilizing the DH key exchange algorithm is negotiated. [[pveproxy_custom_tls_cert]] Alternative HTTPS certificate ----------------------------- You can change the certificate used to an external one or to one obtained via ACME. pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and `/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. The private key may not use a passphrase. It is possible to override the location of the certificate private key `/etc/pve/local/pveproxy-ssl.key` by setting `TLS_KEY_FILE` in `/etc/default/pveproxy`, for example: TLS_KEY_FILE="/secrets/pveproxy.key" NOTE: The included ACME integration does not honor this setting. See the Host System Administration chapter of the documentation for details. [[pveproxy_response_compression]] Response Compression -------------------- By default `pveproxy` uses gzip HTTP-level compression for compressible content, if the client supports it. This can disabled in `/etc/default/pveproxy` COMPRESSION=0 ifdef::manvolnum[] include::pve-copyright.adoc[] endif::manvolnum[]