mirror of
https://git.proxmox.com/git/pve-docs
synced 2025-08-04 09:31:20 +00:00
pveproxy: document newly added options
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
parent
55eeea33d6
commit
e683b1d847
@ -117,9 +117,11 @@ effect.
|
||||
SSL Cipher Suite
|
||||
----------------
|
||||
|
||||
You can define the cipher list in `/etc/default/pveproxy`, for example
|
||||
You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS`
|
||||
(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example
|
||||
|
||||
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
|
||||
CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
|
||||
|
||||
Above is the default. See the ciphers(1) man page from the openssl
|
||||
package for a list of all available options.
|
||||
@ -131,6 +133,25 @@ both client and `pveproxy`):
|
||||
HONOR_CIPHER_ORDER=0
|
||||
|
||||
|
||||
Supported TLS versions
|
||||
----------------------
|
||||
|
||||
The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy.
|
||||
TLS versions below 1.1 are disabled by default on recent OpenSSL versions,
|
||||
which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`).
|
||||
|
||||
To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pveproxy`:
|
||||
|
||||
DISABLE_TLS_1_2=1
|
||||
|
||||
or, respectively:
|
||||
|
||||
DISABLE_TLS_1_3=1
|
||||
|
||||
NOTE: Unless there is a specific reason to do so, it is not recommended to
|
||||
manually adjust the supported TLS versions.
|
||||
|
||||
|
||||
Diffie-Hellman Parameters
|
||||
-------------------------
|
||||
|
||||
@ -157,6 +178,13 @@ pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
|
||||
`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
|
||||
The private key may not use a passphrase.
|
||||
|
||||
It is possible to override the location of the certificate private key by
|
||||
setting `TLS_KEY_FILE` in `/etc/default/pveproxy`, for example:
|
||||
|
||||
TLS_KEY_FILE="/secrets/pveproxy.key"
|
||||
|
||||
NOTE: The included ACME integration does not honor this setting.
|
||||
|
||||
See the Host System Administration chapter of the documentation for details.
|
||||
|
||||
COMPRESSION
|
||||
|
Loading…
Reference in New Issue
Block a user