proxmox-mirrors/pve-docs
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-docs synced 2025-08-04 09:31:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pveproxy: document newly added options

Browse Source 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2021-12-17 13:57:33 +01:00 committed by Thomas Lamprecht
parent 55eeea33d6
commit e683b1d847
1 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pveproxy.adoc
View File

@ -117,9 +117,11 @@ effect.
SSL Cipher Suite
----------------
You can define the cipher list in `/etc/default/pveproxy`, for example
You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS`
(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.
@ -131,6 +133,25 @@ both client and `pveproxy`):
HONOR_CIPHER_ORDER=0
Supported TLS versions
----------------------
The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy.
TLS versions below 1.1 are disabled by default on recent OpenSSL versions,
which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`).
To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pveproxy`:
DISABLE_TLS_1_2=1
or, respectively:
DISABLE_TLS_1_3=1
NOTE: Unless there is a specific reason to do so, it is not recommended to
manually adjust the supported TLS versions.
Diffie-Hellman Parameters
-------------------------
@ -157,6 +178,13 @@ pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
The private key may not use a passphrase.
It is possible to override the location of the certificate private key by
setting `TLS_KEY_FILE` in `/etc/default/pveproxy`, for example:
TLS_KEY_FILE="/secrets/pveproxy.key"
NOTE: The included ACME integration does not honor this setting.
See the Host System Administration chapter of the documentation for details.
COMPRESSION