+Host based Access Control
+-------------------------
+
+It is possible to configure ``apache2''-like access control
+lists. Values are read from file `/etc/default/pveproxy`. For example:
+
+----
+ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
+DENY_FROM="all"
+POLICY="allow"
+----
+
+IP addresses can be specified using any syntax understood by `Net::IP`. The
+name `all` is an alias for `0/0`.
+
+The default policy is `allow`.
+
+[width="100%",options="header"]
+|===========================================================
+| Match | POLICY=deny | POLICY=allow
+| Match Allow only | allow | allow
+| Match Deny only | deny | deny
+| No match | deny | allow
+| Match Both Allow & Deny | deny | allow
+|===========================================================
+
+
+SSL Cipher Suite
+----------------
+
+You can define the cipher list in `/etc/default/pveproxy`, for example
+
+ CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
+
+Above is the default. See the ciphers(1) man page from the openssl
+package for a list of all available options.
+
+
+Diffie-Hellman Parameters
+-------------------------
+
+You can define the used Diffie-Hellman parameters in
+`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
+containing DH parameters in PEM format, for example
+
+ DHPARAMS="/path/to/dhparams.pem"
+
+If this option is not set, the built-in `skip2048` parameters will be
+used.
+
+NOTE: DH parameters are only used if a cipher suite utilizing the DH key
+exchange algorithm is negotiated.
+
+
+Alternative HTTPS certificate
+-----------------------------
+
+By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem`
+(and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections.
+This certificate is signed by the cluster CA certificate, and therefor
+not trusted by browsers and operating systems by default.
+
+In order to use a different certificate and private key for HTTPS,
+store the server certificate and any needed intermediate / CA
+certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem`
+and the associated private key in PEM format without a password in the
+file `/etc/pve/local/pveproxy-ssl.key`.
+
+WARNING: Do not replace the automatically generated node certificate
+files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or
+the cluster CA files in `/etc/pve/pve-root-ca.pem` and
+`/etc/pve/priv/pve-root-ca.key`.