proxmox-mirrors/pve-manager
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-manager synced 2025-08-16 19:17:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add DHPARAMS option in /etc/default/pveproxy

Browse Source 
If set, Diffie-Hellman parameters in PEM format are loaded
from the given path. Otherwise, the built-in 'skip2048'
group is used.

Also fix some typos in the man page.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2016-01-26 15:09:12 +01:00 committed by Dietmar Maurer
parent ee0b96b15f
commit 41196653e1
2 changed files with 25 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
PVE/API2Tools.pm
View File

@ -210,6 +210,7 @@ sub read_proxy_config {
$shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";'; $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
$shcmd .= 'echo \"POLICY:\$POLICY\";'; $shcmd .= 'echo \"POLICY:\$POLICY\";';
$shcmd .= 'echo \"CIPHERS:\$CIPHERS\";'; $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
$shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
my $data = -f $conffile ? `bash -c "$shcmd"` : ''; my $data = -f $conffile ? `bash -c "$shcmd"` : '';
@ -230,6 +231,8 @@ sub read_proxy_config {
$res->{$key} = $value; $res->{$key} = $value;
} elsif ($key eq 'CIPHERS') { } elsif ($key eq 'CIPHERS') {
$res->{$key} = $value; $res->{$key} = $value;
} elsif ($key eq 'DHPARAMS') {
$res->{$key} = $value;
} else { } else {
# silently skip everythin else? # silently skip everythin else?
} }

26
PVE/Service/pveproxy.pm
View File

@ -114,7 +114,6 @@ sub init {
cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5', cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
key_file => '/etc/pve/local/pve-ssl.key', key_file => '/etc/pve/local/pve-ssl.key',
cert_file => '/etc/pve/local/pve-ssl.pem', cert_file => '/etc/pve/local/pve-ssl.pem',
dh => 'skip2048',
}, },
# Note: there is no authentication for those pages and dirs! # Note: there is no authentication for those pages and dirs!
pages => { pages => {
@ -126,6 +125,12 @@ sub init {
}, },
dirs => $dirs, dirs => $dirs,
}; };
if ($proxyconf->{DHPARAMS}) {
$self->{server_config}->{ssl}->{dh_file} = $proxyconf->{DHPARAMS};
} else {
$self->{server_config}->{ssl}->{dh} = 'skip2048';
}
} }
sub run { sub run {
@ -242,7 +247,7 @@ from file /etc/default/pveproxy. For example:
DENY_FROM="all" DENY_FROM="all"
POLICY="allow" POLICY="allow"
IP addresses can be specified using any syntax understoop by Net::IP. The IP addresses can be specified using any syntax understood by Net::IP. The
name 'all' is an alias for '0/0'. name 'all' is an alias for '0/0'.
The default policy is 'allow'. The default policy is 'allow'.
@ -256,12 +261,25 @@ The default policy is 'allow'.
=head1 SSL Cipher Suite =head1 SSL Cipher Suite
You can define the chiper list in /etc/default/pveproxy, for example You can define the cipher list in /etc/default/pveproxy, for example
CIPHERS="HIGH:MEDIUM:!aNULL:!MD5" CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
Above is the default. See the ciphers(1) man page from the openssl Above is the default. See the ciphers(1) man page from the openssl
package for list of all available options. package for a list of all available options.
=head1 Diffie-Hellman Parameters
You can define the used Diffie-Hellman parameters in /etc/default/pveproxy
by setting DHPARAMS to the path of a file containing DH parameters in PEM
format, for example
DHPARAMS="/path/to/dhparams.pem"
If this option is not set, the built-in 'skip2048' parameters will be used.
Note: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.
=head1 FILES =head1 FILES