proxmox-mirrors/pmg-docs
1
0
Fork 0
mirror of https://git.proxmox.com/git/pmg-docs synced 2025-10-04 06:54:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pmgproxy: document newly added options

Browse Source 
adapted from pve-docs -> pveproxy

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2021-12-17 14:00:16 +01:00 committed by Thomas Lamprecht
parent e1f6d6d01c
commit 169d20a317
1 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
pmgproxy.adoc
View File

@ -125,7 +125,10 @@ should set a maintenance window to bring this change into effect.
SSL Cipher Suite
----------------
You can define the cipher list in `/etc/default/pmgproxy`, for example:
You can define the cipher list in `/etc/default/pmgproxy`, via the `CIPHERS`
(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys.
For example:
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
@ -141,6 +144,25 @@ by disabling the HONOR_CIPHER_ORDER option in `/etc/default/pmgproxy`:
HONOR_CIPHER_ORDER=0
Supported TLS versions
----------------------
The insecure SSL versions 2 and 3 are unconditionally disabled for `pmgproxy`.
TLS versions below 1.1 are disabled by default on recent OpenSSL versions,
which is honored by `pmgproxy` (see `/etc/ssl/openssl.cnf`).
To disable TLS version 1.2, set the following in `/etc/default/pmgproxy`:
DISABLE_TLS_1_2=1
or, respectively, to disable TLS version 1.3:
DISABLE_TLS_1_3=1
NOTE: Unless there is a specific reason to do so, it is not recommended to
manually adjust the supported TLS versions.
Diffie-Hellman Parameters
-------------------------