proxmox-mirrors/pmg-docs
1
0
Fork 0
mirror of https://git.proxmox.com/git/pmg-docs synced 2025-08-04 20:46:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pmgproxy.adoc: add docs for config-parameters

Browse Source 
taken from the documentation for pveproxy

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
This commit is contained in:
Stoiko Ivanov 2019-02-27 17:30:00 +01:00 committed by Dietmar Maurer
parent 206ef99882
commit e1afb18145
1 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
pmgproxy.adoc
View File

@ -41,6 +41,73 @@ browsers and operating systems by default. You can simply replace this
certificate with your own (please include the key inside the '.pem' file).
Host based Access Control
-------------------------
It is possible to configure ``apache2''-like access control
lists. Values are read from file `/etc/default/pmgproxy`. For example:
----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
----
IP addresses can be specified using any syntax understood by `Net::IP`. The
name `all` is an alias for `0/0`.
The default policy is `allow`.
[width="100%",options="header"]
|===========================================================
| Match | POLICY=deny | POLICY=allow
| Match Allow only | allow | allow
| Match Deny only | deny | deny
| No match | deny | allow
| Match Both Allow & Deny | deny | allow
|===========================================================
SSL Cipher Suite
----------------
You can define the cipher list in `/etc/default/pmgproxy`, for example
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.
Additionally you can define that the client choses the used cipher in
`/etc/default/pmgproxy` (default is the first cipher in the list available to
both client and `pmgproxy`):
HONOR_CIPHER_ORDER=0
Diffie-Hellman Parameters
-------------------------
You can define the used Diffie-Hellman parameters in
`/etc/default/pmgproxy` by setting `DHPARAMS` to the path of a file
containing DH parameters in PEM format, for example
DHPARAMS="/path/to/dhparams.pem"
If this option is not set, the built-in `skip2048` parameters will be
used.
NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.
COMPRESSION
-----------
By default `pmgproxy` uses gzip HTTP-level compression for compressible
content, if the client supports it. This can disabled in `/etc/default/pmgproxy`
COMPRESSION=0
ifdef::manvolnum[]
include::pmg-copyright.adoc[]
endif::manvolnum[]