diff --git a/pmgproxy.adoc b/pmgproxy.adoc index 7d3c1e3..0c088e5 100644 --- a/pmgproxy.adoc +++ b/pmgproxy.adoc @@ -41,6 +41,73 @@ browsers and operating systems by default. You can simply replace this certificate with your own (please include the key inside the '.pem' file). +Host based Access Control +------------------------- + +It is possible to configure ``apache2''-like access control +lists. Values are read from file `/etc/default/pmgproxy`. For example: + +---- +ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22" +DENY_FROM="all" +POLICY="allow" +---- + +IP addresses can be specified using any syntax understood by `Net::IP`. The +name `all` is an alias for `0/0`. + +The default policy is `allow`. + +[width="100%",options="header"] +|=========================================================== +| Match | POLICY=deny | POLICY=allow +| Match Allow only | allow | allow +| Match Deny only | deny | deny +| No match | deny | allow +| Match Both Allow & Deny | deny | allow +|=========================================================== + + +SSL Cipher Suite +---------------- + +You can define the cipher list in `/etc/default/pmgproxy`, for example + + CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + +Above is the default. See the ciphers(1) man page from the openssl +package for a list of all available options. + +Additionally you can define that the client choses the used cipher in +`/etc/default/pmgproxy` (default is the first cipher in the list available to +both client and `pmgproxy`): + + HONOR_CIPHER_ORDER=0 + + +Diffie-Hellman Parameters +------------------------- + +You can define the used Diffie-Hellman parameters in +`/etc/default/pmgproxy` by setting `DHPARAMS` to the path of a file +containing DH parameters in PEM format, for example + + DHPARAMS="/path/to/dhparams.pem" + +If this option is not set, the built-in `skip2048` parameters will be +used. + +NOTE: DH parameters are only used if a cipher suite utilizing the DH key +exchange algorithm is negotiated. + +COMPRESSION +----------- + +By default `pmgproxy` uses gzip HTTP-level compression for compressible +content, if the client supports it. This can disabled in `/etc/default/pmgproxy` + + COMPRESSION=0 + ifdef::manvolnum[] include::pmg-copyright.adoc[] endif::manvolnum[]