ifdef::manvolnum[] pveproxy(8) =========== :pve-toplevel: NAME ---- pveproxy - PVE API Proxy Daemon SYNOPSIS -------- include::pveproxy.8-synopsis.adoc[] DESCRIPTION ----------- endif::manvolnum[] ifndef::manvolnum[] pveproxy - Proxmox VE API Proxy Daemon ====================================== endif::manvolnum[] This daemon exposes the whole {pve} API on TCP port 8006 using HTTPS. It runs as user `www-data` and has very limited permissions. Operation requiring more permissions are forwarded to the local `pvedaemon`. Requests targeted for other nodes are automatically forwarded to those nodes. This means that you can manage your whole cluster by connecting to a single {pve} node. Host based Access Control ------------------------- It is possible to configure ``apache2''-like access control lists. Values are read from file `/etc/default/pveproxy`. For example: ---- ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" DENY_FROM="all" POLICY="allow" ---- IP addresses can be specified using any syntax understood by `Net::IP`. The name `all` is an alias for `0/0`. The default policy is `allow`. [width="100%",options="header"] |=========================================================== | Match | POLICY=deny | POLICY=allow | Match Allow only | allow | allow | Match Deny only | deny | deny | No match | deny | allow | Match Both Allow & Deny | deny | allow |=========================================================== SSL Cipher Suite ---------------- You can define the cipher list in `/etc/default/pveproxy`, for example CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" Above is the default. See the ciphers(1) man page from the openssl package for a list of all available options. Diffie-Hellman Parameters ------------------------- You can define the used Diffie-Hellman parameters in `/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file containing DH parameters in PEM format, for example DHPARAMS="/path/to/dhparams.pem" If this option is not set, the built-in `skip2048` parameters will be used. NOTE: DH parameters are only used if a cipher suite utilizing the DH key exchange algorithm is negotiated. Alternative HTTPS certificate ----------------------------- By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem` (and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections. This certificate is signed by the cluster CA certificate, and therefor not trusted by browsers and operating systems by default. In order to use a different certificate and private key for HTTPS, store the server certificate and any needed intermediate / CA certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem` and the associated private key in PEM format without a password in the file `/etc/pve/local/pveproxy-ssl.key`. WARNING: Do not replace the automatically generated node certificate files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or the cluster CA files in `/etc/pve/pve-root-ca.pem` and `/etc/pve/priv/pve-root-ca.key`. NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki], including setup instructions for obtaining certificates from the popular free Let's Encrypt certificate authority. ifdef::manvolnum[] include::pve-copyright.adoc[] endif::manvolnum[]