X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pveproxy.adoc;h=d50d04a967f540627daea77c14f8623eeb7f0cfb;hp=5b831066f00a5ae282da85760c61ccf79677e827;hb=c21d2cbe57c2eabf6ccbf1f37e085a20e2c0023f;hpb=a69bfc83f6d2b79e94eeb39781d89b720b4482dc diff --git a/pveproxy.adoc b/pveproxy.adoc index 5b83106..d50d04a 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -64,11 +64,17 @@ SSL Cipher Suite You can define the cipher list in `/etc/default/pveproxy`, for example - CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" + CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" Above is the default. See the ciphers(1) man page from the openssl package for a list of all available options. +Additionally you can define that the client choses the used cipher in +`/etc/default/pveproxy` (default is the first cipher in the list available to +both client and `pveproxy`): + + HONOR_CIPHER_ORDER=0 + Diffie-Hellman Parameters ------------------------- @@ -88,26 +94,23 @@ exchange algorithm is negotiated. Alternative HTTPS certificate ----------------------------- -By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem` -(and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections. -This certificate is signed by the cluster CA certificate, and therefor -not trusted by browsers and operating systems by default. - -In order to use a different certificate and private key for HTTPS, -store the server certificate and any needed intermediate / CA -certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem` -and the associated private key in PEM format without a password in the -file `/etc/pve/local/pveproxy-ssl.key`. - -WARNING: Do not replace the automatically generated node certificate -files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or -the cluster CA files in `/etc/pve/pve-root-ca.pem` and -`/etc/pve/priv/pve-root-ca.key`. - -NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates -on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki], -including setup instructions for obtaining certificates from the popular free -Let's Encrypt certificate authority. +You can change the certificate used to an external one or to one obtained via +ACME. + +pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and +`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to +`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. +The private key may not use a passphrase. + +See the Host System Administration chapter of the documentation for details. + +COMPRESSION +----------- + +By default `pveproxy` uses gzip HTTP-level compression for compressible +content, if the client supports it. This can disabled in `/etc/default/pveproxy` + + COMPRESSION=0 ifdef::manvolnum[] include::pve-copyright.adoc[]