pveproxy: update documentation on 'all' alias

[pve-docs.git] / pveproxy.adoc

diff --git a/pveproxy.adoc b/pveproxy.adoc
index a7538b09124d690f922b9b1c4473cc577de0ee7a..09ac5cfee16e3983f68a74d48a61bcf15e7b4433 100644 (file)
--- a/pveproxy.adoc
+++ b/pveproxy.adoc
@@ -45,7 +45,8 @@ POLICY="allow"
 ----
 
 IP addresses can be specified using any syntax understood by `Net::IP`. The
-name `all` is an alias for `0/0`.
+name `all` is an alias for `0/0` and `::/0` (meaning all IPv4 and IPv6
+addresses).
 
 The default policy is `allow`.
 
@@ -62,6 +63,9 @@ The default policy is `allow`.
 Listening IP
 ------------
 
+By default the `pveproxy` and `spiceproxy` daemons listen on the wildcard
+address and accept connections from both IPv4 and IPv6 clients.
+
 By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP
 address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to
 be configured on the system.
@@ -102,6 +106,12 @@ long-running worker processes, for example a running console or shell from a
 virtual guest. So, please use a maintenance window to bring this change in
 effect.
 
+NOTE: setting the `sysctl` `net.ipv6.bindv6only` to `1` will cause the daemons
+  to only accept connection from IPv6 clients. This non-default setting usually
+  also causes other issues. Either remove the `sysctl` setting, or set the
+  `LISTEN_IP` to `0.0.0.0` (which will only allow IPv4 clients).
+
+
 SSL Cipher Suite
 ----------------
 
@@ -112,7 +122,7 @@ You can define the cipher list in `/etc/default/pveproxy`, for example
 Above is the default. See the ciphers(1) man page from the openssl
 package for a list of all available options.
 
-Additionally you can define that the client choses the used cipher in
+Additionally, you can set the client to choose the cipher used in
 `/etc/default/pveproxy` (default is the first cipher in the list available to
 both client and `pveproxy`):