2016-04-10 10:33:40 +02:00
ifdef::manvolnum[]
2016-10-14 08:51:43 +02:00
pveproxy(8)
===========
2016-10-14 06:49:09 +02:00
:pve-toplevel:
2016-04-10 10:33:40 +02:00
NAME
----
pveproxy - PVE API Proxy Daemon
2016-10-06 15:12:49 +02:00
SYNOPSIS
2016-04-10 10:33:40 +02:00
--------
include::pveproxy.8-synopsis.adoc[]
DESCRIPTION
-----------
endif::manvolnum[]
ifndef::manvolnum[]
2016-10-06 15:01:52 +02:00
pveproxy - Proxmox VE API Proxy Daemon
======================================
2016-04-10 10:33:40 +02:00
endif::manvolnum[]
2023-03-13 10:43:20 +01:00
This daemon exposes the whole {pve} API on TCP port 8006 using HTTPS. It runs
as user `www-data` and has very limited permissions. Operation requiring more
permissions are forwarded to the local `pvedaemon`.
2016-04-10 10:33:40 +02:00
2023-03-13 10:43:20 +01:00
Requests targeted for other nodes are automatically forwarded to those nodes.
This means that you can manage your whole cluster by connecting to a single
{pve} node.
2016-04-10 10:33:40 +02:00
2023-03-13 10:43:20 +01:00
[[pveproxy_host_acls]]
2016-04-10 10:47:52 +02:00
Host based Access Control
-------------------------
2023-03-13 10:43:20 +01:00
It is possible to configure ``apache2''-like access control lists. Values are
read from file `/etc/default/pveproxy`. For example:
2016-04-10 10:47:52 +02:00
----
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
----
IP addresses can be specified using any syntax understood by `Net::IP`. The
2021-05-05 16:36:29 +02:00
name `all` is an alias for `0/0` and `::/0` (meaning all IPv4 and IPv6
addresses).
2016-04-10 10:47:52 +02:00
2016-09-27 10:58:50 +02:00
The default policy is `allow`.
2016-04-10 10:47:52 +02:00
[width="100%",options="header"]
|===========================================================
| Match | POLICY=deny | POLICY=allow
| Match Allow only | allow | allow
| Match Deny only | deny | deny
| No match | deny | allow
| Match Both Allow & Deny | deny | allow
|===========================================================
2023-03-13 10:43:20 +01:00
[[pveproxy_listening_address]]
Listening IP Address
--------------------
2021-04-23 17:58:14 +02:00
2021-05-05 16:36:28 +02:00
By default the `pveproxy` and `spiceproxy` daemons listen on the wildcard
address and accept connections from both IPv4 and IPv6 clients.
2021-05-07 19:01:21 +02:00
2021-04-23 17:58:14 +02:00
By setting `LISTEN_IP` in `/etc/default/pveproxy` you can control to which IP
2021-04-24 19:40:21 +02:00
address the `pveproxy` and `spiceproxy` daemons bind. The IP-address needs to
be configured on the system.
2021-04-23 17:58:14 +02:00
2021-05-07 19:01:21 +02:00
Setting the `sysctl` `net.ipv6.bindv6only` to the non-default `1` will cause
the daemons to only accept connection from IPv6 clients, while usually also
causing lots of other issues. If you set this configuration we recommend to
either remove the `sysctl` setting, or set the `LISTEN_IP` to `0.0.0.0` (which
will only allow IPv4 clients).
`LISTEN_IP` can be used to only to restricting the socket to an internal
interface and thus have less exposure to the public internet, for example:
2021-04-23 17:58:14 +02:00
2021-04-28 15:42:24 +02:00
----
LISTEN_IP="192.0.2.1"
----
2021-04-23 17:58:14 +02:00
2021-04-28 15:42:24 +02:00
Similarly, you can also set an IPv6 address:
2021-04-23 17:58:14 +02:00
2021-04-28 15:42:24 +02:00
----
LISTEN_IP="2001:db8:85a3::1"
----
2021-04-28 15:42:58 +02:00
Note that if you want to specify a link-local IPv6 address, you need to provide
the interface name itself. For example:
----
LISTEN_IP="fe80::c463:8cff:feb9:6a4e%vmbr0"
----
2021-04-23 17:58:14 +02:00
2021-04-24 19:40:21 +02:00
WARNING: The nodes in a cluster need access to `pveproxy` for communication,
possibly on different sub-nets. It is **not recommended** to set `LISTEN_IP` on
clustered systems.
2021-04-23 17:58:14 +02:00
2021-04-28 15:43:37 +02:00
To apply the change you need to either reboot your node or fully restart the
`pveproxy` and `spiceproxy` service:
----
systemctl restart pveproxy.service spiceproxy.service
----
NOTE: Unlike `reload`, a `restart` of the pveproxy service can interrupt some
long-running worker processes, for example a running console or shell from a
virtual guest. So, please use a maintenance window to bring this change in
effect.
2021-05-05 16:36:28 +02:00
2016-04-10 10:47:52 +02:00
SSL Cipher Suite
----------------
2021-12-17 13:57:33 +01:00
You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS`
(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example
2016-04-10 10:47:52 +02:00
2018-10-15 15:01:08 +02:00
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
2021-12-17 13:57:33 +01:00
CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
2016-04-10 10:47:52 +02:00
Above is the default. See the ciphers(1) man page from the openssl
package for a list of all available options.
2021-04-29 13:09:07 +02:00
Additionally, you can set the client to choose the cipher used in
2019-02-19 19:18:45 +01:00
`/etc/default/pveproxy` (default is the first cipher in the list available to
both client and `pveproxy`):
HONOR_CIPHER_ORDER=0
2016-04-10 10:47:52 +02:00
2021-12-17 13:57:33 +01:00
Supported TLS versions
----------------------
The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy.
TLS versions below 1.1 are disabled by default on recent OpenSSL versions,
which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`).
To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pveproxy`:
DISABLE_TLS_1_2=1
or, respectively:
DISABLE_TLS_1_3=1
NOTE: Unless there is a specific reason to do so, it is not recommended to
manually adjust the supported TLS versions.
2016-04-10 10:47:52 +02:00
Diffie-Hellman Parameters
-------------------------
You can define the used Diffie-Hellman parameters in
2016-09-27 10:58:50 +02:00
`/etc/default/pveproxy` by setting `DHPARAMS` to the path of a file
2016-04-10 10:47:52 +02:00
containing DH parameters in PEM format, for example
DHPARAMS="/path/to/dhparams.pem"
2016-09-27 10:58:50 +02:00
If this option is not set, the built-in `skip2048` parameters will be
2016-04-10 10:47:52 +02:00
used.
NOTE: DH parameters are only used if a cipher suite utilizing the DH key
exchange algorithm is negotiated.
2023-03-13 10:43:20 +01:00
[[pveproxy_custom_tls_cert]]
2016-04-15 13:16:03 +02:00
Alternative HTTPS certificate
-----------------------------
2018-05-11 14:10:35 +02:00
You can change the certificate used to an external one or to one obtained via
2018-05-09 18:56:21 +02:00
ACME.
pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
`/etc/pve/local/pveproxy-ssl.key`, if present, and falls back to
`/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
The private key may not use a passphrase.
2022-01-18 12:24:22 +01:00
It is possible to override the location of the certificate private key
`/etc/pve/local/pveproxy-ssl.key` by setting `TLS_KEY_FILE` in
`/etc/default/pveproxy`, for example:
2021-12-17 13:57:33 +01:00
TLS_KEY_FILE="/secrets/pveproxy.key"
NOTE: The included ACME integration does not honor this setting.
2018-05-09 18:56:21 +02:00
See the Host System Administration chapter of the documentation for details.
2016-10-06 12:32:13 +02:00
2023-03-13 10:43:20 +01:00
[[pveproxy_response_compression]]
Response Compression
--------------------
2019-02-19 19:18:45 +01:00
By default `pveproxy` uses gzip HTTP-level compression for compressible
content, if the client supports it. This can disabled in `/etc/default/pveproxy`
COMPRESSION=0
2016-04-10 10:33:40 +02:00
ifdef::manvolnum[]
include::pve-copyright.adoc[]
endif::manvolnum[]
