X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pveproxy.adoc;h=d50d04a967f540627daea77c14f8623eeb7f0cfb;hp=ca320893e970cb2ad423f2f2aee56364b4214945;hb=54de4e32219f93bc2f0bb102ec1fef480943dd18;hpb=eb6414293669fd188138511ab89df1abc21c74e6 diff --git a/pveproxy.adoc b/pveproxy.adoc index ca32089..d50d04a 100644 --- a/pveproxy.adoc +++ b/pveproxy.adoc @@ -1,7 +1,7 @@ ifdef::manvolnum[] -PVE({manvolnum}) -================ -include::attributes.txt[] +pveproxy(8) +=========== +:pve-toplevel: NAME ---- @@ -9,7 +9,7 @@ NAME pveproxy - PVE API Proxy Daemon -SYNOPSYS +SYNOPSIS -------- include::pveproxy.8-synopsis.adoc[] @@ -19,15 +19,14 @@ DESCRIPTION endif::manvolnum[] ifndef::manvolnum[] -{pve} API Proxy Daemon -====================== -include::attributes.txt[] +pveproxy - Proxmox VE API Proxy Daemon +====================================== endif::manvolnum[] This daemon exposes the whole {pve} API on TCP port 8006 using -HTTPS. It runs as user 'www-data' and has very limited permissions. +HTTPS. It runs as user `www-data` and has very limited permissions. Operation requiring more permissions are forwarded to the local -'pvedaemon'. +`pvedaemon`. Requests targeted for other nodes are automatically forwarded to those nodes. This means that you can manage your whole cluster by connecting @@ -36,8 +35,8 @@ to a single {pve} node. Host based Access Control ------------------------- -It is possible to configure "apache2" like access control -lists. Values are read from file '/etc/default/pveproxy'. For example: +It is possible to configure ``apache2''-like access control +lists. Values are read from file `/etc/default/pveproxy`. For example: ---- ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" @@ -46,9 +45,9 @@ POLICY="allow" ---- IP addresses can be specified using any syntax understood by `Net::IP`. The -name 'all' is an alias for '0/0'. +name `all` is an alias for `0/0`. -The default policy is 'allow'. +The default policy is `allow`. [width="100%",options="header"] |=========================================================== @@ -63,29 +62,55 @@ The default policy is 'allow'. SSL Cipher Suite ---------------- -You can define the cipher list in '/etc/default/pveproxy', for example +You can define the cipher list in `/etc/default/pveproxy`, for example - CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" + CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" Above is the default. See the ciphers(1) man page from the openssl package for a list of all available options. +Additionally you can define that the client choses the used cipher in +`/etc/default/pveproxy` (default is the first cipher in the list available to +both client and `pveproxy`): + + HONOR_CIPHER_ORDER=0 + Diffie-Hellman Parameters ------------------------- You can define the used Diffie-Hellman parameters in -'/etc/default/pveproxy' by setting `DHPARAMS` to the path of a file +`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file containing DH parameters in PEM format, for example DHPARAMS="/path/to/dhparams.pem" -If this option is not set, the built-in 'skip2048' parameters will be +If this option is not set, the built-in `skip2048` parameters will be used. NOTE: DH parameters are only used if a cipher suite utilizing the DH key exchange algorithm is negotiated. +Alternative HTTPS certificate +----------------------------- + +You can change the certificate used to an external one or to one obtained via +ACME. + +pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and +`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to +`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. +The private key may not use a passphrase. + +See the Host System Administration chapter of the documentation for details. + +COMPRESSION +----------- + +By default `pveproxy` uses gzip HTTP-level compression for compressible +content, if the client supports it. This can disabled in `/etc/default/pveproxy` + + COMPRESSION=0 ifdef::manvolnum[] include::pve-copyright.adoc[]