proxmox-mirrors/pve-docs
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-docs synced 2025-04-28 16:07:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e8b392d332
pve-docs/pveproxy.adoc
Fabian Grünbichler e8b392d332 add binary names to section titles 
like in the appendix - otherwise this reads really strange,
especially for tools like "pveceph" and "pvesubscription",
where the content is just one sentence, which is not
mentioning the binary at all.
2016-10-07 09:53:51 +02:00

116 lines
3.4 KiB
Plaintext
Raw Blame History

ifdef::manvolnum[]
PVE({manvolnum})
================
include::attributes.txt[]
NAME
----
pveproxy - PVE API Proxy Daemon
SYNOPSIS
--------
include::pveproxy.8-synopsis.adoc[]
DESCRIPTION
-----------
endif::manvolnum[]
ifndef::manvolnum[]
pveproxy - Proxmox VE API Proxy Daemon
======================================
include::attributes.txt[]
endif::manvolnum[]
This daemon exposes the whole {pve} API on TCP port 8006 using
HTTPS. It runs as user `www-data` and has very limited permissions.
Operation requiring more permissions are forwarded to the local
`pvedaemon`.
Requests targeted for other nodes are automatically forwarded to those
nodes. This means that you can manage your whole cluster by connecting
to a single {pve} node.
Host based Access Control
-------------------------
It is possible to configure ``apache2''-like access control
lists. Values are read from file `/etc/default/pveproxy`. For example:
----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
----
IP addresses can be specified using any syntax understood by `Net::IP`. The
name `all` is an alias for `0/0`.
The default policy is `allow`.
[width="100%",options="header"]
|===========================================================
| Match | POLICY=deny | POLICY=allow
| Match Allow only | allow | allow
| Match Deny only | deny | deny
| No match | deny | allow
| Match Both Allow & Deny | deny | allow
|===========================================================
SSL Cipher Suite
----------------
You can define the cipher list in `/etc/default/pveproxy`, for example
CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.
Diffie-Hellman Parameters
-------------------------
You can define the used Diffie-Hellman parameters in
`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
containing DH parameters in PEM format, for example
DHPARAMS="/path/to/dhparams.pem"
If this option is not set, the built-in `skip2048` parameters will be
used.
NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.
Alternative HTTPS certificate
-----------------------------
By default, pveproxy uses the certificate `/etc/pve/local/pve-ssl.pem`
(and private key `/etc/pve/local/pve-ssl.key`) for HTTPS connections.
This certificate is signed by the cluster CA certificate, and therefor
not trusted by browsers and operating systems by default.
In order to use a different certificate and private key for HTTPS,
store the server certificate and any needed intermediate / CA
certificates in PEM format in the file `/etc/pve/local/pveproxy-ssl.pem`
and the associated private key in PEM format without a password in the
file `/etc/pve/local/pveproxy-ssl.key`.
WARNING: Do not replace the automatically generated node certificate
files in `/etc/pve/local/pve-ssl.pem` and `etc/pve/local/pve-ssl.key` or
the cluster CA files in `/etc/pve/pve-root-ca.pem` and
`/etc/pve/priv/pve-root-ca.key`.
NOTE: There is a detailed HOWTO for configuring commercial HTTPS certificates
on the {webwiki-url}HTTPS_Certificate_Configuration_(Version_4.x_and_newer)[wiki],
including setup instructions for obtaining certificates from the popular free
Let's Encrypt certificate authority.
ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
Reference in New Issue View Git Blame Copy Permalink