proxmox-mirrors/pve-docs
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-docs synced 2025-08-07 03:54:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pveproxy: document newly added options

Browse Source 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2021-12-17 13:57:33 +01:00 committed by Thomas Lamprecht
parent 55eeea33d6
commit e683b1d847
1 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
pveproxy.adoc
View File

@ -117,9 +117,11 @@ effect.
SSL Cipher Suite SSL Cipher Suite
---------------- ----------------
You can define the cipher list in `/etc/default/pveproxy`, for example You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS`
(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
Above is the default. See the ciphers(1) man page from the openssl Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options. package for a list of all available options.
@ -131,6 +133,25 @@ both client and `pveproxy`):
HONOR_CIPHER_ORDER=0 HONOR_CIPHER_ORDER=0
Supported TLS versions
----------------------
The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy.
TLS versions below 1.1 are disabled by default on recent OpenSSL versions,
which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`).
To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pveproxy`:
DISABLE_TLS_1_2=1
or, respectively:
DISABLE_TLS_1_3=1
NOTE: Unless there is a specific reason to do so, it is not recommended to
manually adjust the supported TLS versions.
Diffie-Hellman Parameters Diffie-Hellman Parameters
------------------------- -------------------------
@ -157,6 +178,13 @@ pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
The private key may not use a passphrase. The private key may not use a passphrase.
It is possible to override the location of the certificate private key by
setting `TLS_KEY_FILE` in `/etc/default/pveproxy`, for example:
TLS_KEY_FILE="/secrets/pveproxy.key"
NOTE: The included ACME integration does not honor this setting.
See the Host System Administration chapter of the documentation for details. See the Host System Administration chapter of the documentation for details.
COMPRESSION COMPRESSION