proxmox-mirrors/pmg-docs
1
0
Fork 0
mirror of https://git.proxmox.com/git/pmg-docs synced 2025-08-05 07:46:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pmgproxy.adoc: add docs for config-parameters

Browse Source 
taken from the documentation for pveproxy

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
This commit is contained in:
Stoiko Ivanov 2019-02-27 17:30:00 +01:00 committed by Dietmar Maurer
parent 206ef99882
commit e1afb18145
1 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
pmgproxy.adoc
View File

@ -41,6 +41,73 @@ browsers and operating systems by default. You can simply replace this
certificate with your own (please include the key inside the '.pem' file). certificate with your own (please include the key inside the '.pem' file).
Host based Access Control
-------------------------
It is possible to configure ``apache2''-like access control
lists. Values are read from file `/etc/default/pmgproxy`. For example:
----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
----
IP addresses can be specified using any syntax understood by `Net::IP`. The
name `all` is an alias for `0/0`.
The default policy is `allow`.
[width="100%",options="header"]
|===========================================================
| Match | POLICY=deny | POLICY=allow
| Match Allow only | allow | allow
| Match Deny only | deny | deny
| No match | deny | allow
| Match Both Allow & Deny | deny | allow
|===========================================================
SSL Cipher Suite
----------------
You can define the cipher list in `/etc/default/pmgproxy`, for example
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.
Additionally you can define that the client choses the used cipher in
`/etc/default/pmgproxy` (default is the first cipher in the list available to
both client and `pmgproxy`):
HONOR_CIPHER_ORDER=0
Diffie-Hellman Parameters
-------------------------
You can define the used Diffie-Hellman parameters in
`/etc/default/pmgproxy` by setting `DHPARAMS` to the path of a file
containing DH parameters in PEM format, for example
DHPARAMS="/path/to/dhparams.pem"
If this option is not set, the built-in `skip2048` parameters will be
used.
NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.
COMPRESSION
-----------
By default `pmgproxy` uses gzip HTTP-level compression for compressible
content, if the client supports it. This can disabled in `/etc/default/pmgproxy`
COMPRESSION=0
ifdef::manvolnum[] ifdef::manvolnum[]
include::pmg-copyright.adoc[] include::pmg-copyright.adoc[]
endif::manvolnum[] endif::manvolnum[]