======================================
endif::manvolnum[]
-This daemon exposes the whole {pve} API on TCP port 8006 using
-HTTPS. It runs as user `www-data` and has very limited permissions.
-Operation requiring more permissions are forwarded to the local
-`pvedaemon`.
+This daemon exposes the whole {pve} API on TCP port 8006 using HTTPS. It runs
+as user `www-data` and has very limited permissions. Operation requiring more
+permissions are forwarded to the local `pvedaemon`.
-Requests targeted for other nodes are automatically forwarded to those
-nodes. This means that you can manage your whole cluster by connecting
-to a single {pve} node.
+Requests targeted for other nodes are automatically forwarded to those nodes.
+This means that you can manage your whole cluster by connecting to a single
+{pve} node.
+[[pveproxy_host_acls]]
Host based Access Control
-------------------------
-It is possible to configure ``apache2''-like access control
-lists. Values are read from file `/etc/default/pveproxy`. For example:
+It is possible to configure ``apache2''-like access control lists. Values are
+read from file `/etc/default/pveproxy`. For example:
----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
----
IP addresses can be specified using any syntax understood by `Net::IP`. The
-name `all` is an alias for `0/0`.
+name `all` is an alias for `0/0` and `::/0` (meaning all IPv4 and IPv6
+addresses).
The default policy is `allow`.
| Match Both Allow & Deny | deny | allow
|===========================================================
+[[pveproxy_listening_address]]
+Listening IP Address
+--------------------
+
+By default the `pveproxy` and `spiceproxy` daemons listen on the wildcard
+address and accept connections from both IPv4 and IPv6 clients.
-Listening IP
-------------
By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP
address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to
be configured on the system.
-This can be used to listen only to an internal interface and thus have less
-exposure to the public internet:
+Setting the `sysctl` `net.ipv6.bindv6only` to the non-default `1` will cause
+the daemons to only accept connection from IPv6 clients, while usually also
+causing lots of other issues. If you set this configuration we recommend to
+either remove the `sysctl` setting, or set the `LISTEN_IP` to `0.0.0.0` (which
+will only allow IPv4 clients).
+
+`LISTEN_IP` can be used to only to restricting the socket to an internal
+interface and thus have less exposure to the public internet, for example:
----
LISTEN_IP="192.0.2.1"
LISTEN_IP="2001:db8:85a3::1"
----
+Note that if you want to specify a link-local IPv6 address, you need to provide
+the interface name itself. For example:
+
+----
+LISTEN_IP="fe80::c463:8cff:feb9:6a4e%vmbr0"
+----
+
WARNING: The nodes in a cluster need access to `pveproxy` for communication,
possibly on different sub-nets. It is **not recommended** to set `LISTEN_IP` on
clustered systems.
+To apply the change you need to either reboot your node or fully restart the
+`pveproxy` and `spiceproxy` service:
+
+----
+systemctl restart pveproxy.service spiceproxy.service
+----
+
+NOTE: Unlike `reload`, a `restart` of the pveproxy service can interrupt some
+long-running worker processes, for example a running console or shell from a
+virtual guest. So, please use a maintenance window to bring this change in
+effect.
+
+
SSL Cipher Suite
----------------
-You can define the cipher list in `/etc/default/pveproxy`, for example
+You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS`
+(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+ CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.
-Additionally you can define that the client choses the used cipher in
+Additionally, you can set the client to choose the cipher used in
`/etc/default/pveproxy` (default is the first cipher in the list available to
both client and `pveproxy`):
HONOR_CIPHER_ORDER=0
+Supported TLS versions
+----------------------
+
+The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy.
+TLS versions below 1.1 are disabled by default on recent OpenSSL versions,
+which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`).
+
+To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pveproxy`:
+
+ DISABLE_TLS_1_2=1
+
+or, respectively:
+
+ DISABLE_TLS_1_3=1
+
+NOTE: Unless there is a specific reason to do so, it is not recommended to
+manually adjust the supported TLS versions.
+
+
Diffie-Hellman Parameters
-------------------------
NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.
+[[pveproxy_custom_tls_cert]]
Alternative HTTPS certificate
-----------------------------
`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
The private key may not use a passphrase.
+It is possible to override the location of the certificate private key
+`/etc/pve/local/pveproxy-ssl.key` by setting `TLS_KEY_FILE` in
+`/etc/default/pveproxy`, for example:
+
+ TLS_KEY_FILE="/secrets/pveproxy.key"
+
+NOTE: The included ACME integration does not honor this setting.
+
See the Host System Administration chapter of the documentation for details.
-COMPRESSION
------------
+[[pveproxy_response_compression]]
+Response Compression
+--------------------
By default `pveproxy` uses gzip HTTP-level compression for compressible
content, if the client supports it. This can disabled in `/etc/default/pveproxy`
projects / pve-docs.git / blobdiff