NAME
pveproxy - PVE API Proxy Daemon
SYNOPSYS
pveproxy <COMMAND> [ARGS] [OPTIONS]
pveproxy help [<cmd>]
[OPTIONS]
Get help about specified command.
-
<cmd>
string
-
Command name
-
-verbose
boolean
-
Verbose output format.
pveproxy restart
Restart the daemon (or start if not running).
pveproxy start [OPTIONS]
Start the daemon.
-
-debug
boolean
(default=0
) -
Debug mode - stay in foreground
pveproxy status
Get daemon status.
pveproxy stop
Stop the daemon.
DESCRIPTION
This daemon exposes the whole Proxmox VE API on TCP port 8006 using HTTPS. It runs as user www-data and has very limited permissions. Operation requiring more permissions are forwarded to the local pvedaemon.
Requests targeted for other nodes are automatically forwarded to those nodes. This means that you can manage your whole cluster by connecting to a single Proxmox VE node.
Host based Access Control
It is possible to configure "apache2" like access control lists. Values are read from file /etc/default/pveproxy. For example:
ALLOW_FROM="10.0.0.1-10.0.0.5,192.168.0.0/22"
DENY_FROM="all"
POLICY="allow"
IP addresses can be specified using any syntax understood by Net::IP
. The
name all is an alias for 0/0.
The default policy is allow.
Match | POLICY=deny | POLICY=allow |
---|---|---|
Match Allow only |
allow |
allow |
Match Deny only |
deny |
deny |
No match |
deny |
allow |
Match Both Allow & Deny |
deny |
allow |
SSL Cipher Suite
You can define the cipher list in /etc/default/pveproxy, for example
CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
Above is the default. See the ciphers(1) man page from the openssl package for a list of all available options.
Diffie-Hellman Parameters
You can define the used Diffie-Hellman parameters in
/etc/default/pveproxy by setting DHPARAMS
to the path of a file
containing DH parameters in PEM format, for example
DHPARAMS="/path/to/dhparams.pem"
If this option is not set, the built-in skip2048 parameters will be used.
|
DH parameters are only used if a cipher suite utilizing the DH key exchange algorithm is negotiated. |
Alternative HTTPS certificate
By default, pveproxy uses the certificate /etc/pve/local/pve-ssl.pem (and private key /etc/pve/local/pve-ssl.key) for HTTPS connections. This certificate is signed by the cluster CA certificate, and therefor not trusted by browsers and operating systems by default.
In order to use a different certificate and private key for HTTPS, store the server certificate and any needed intermediate / CA certificates in PEM format in the file /etc/pve/local/pveproxy-ssl.pem and the associated private key in PEM format without a password in the file /etc/pve/local/pveproxy-ssl.key.
|
Do not replace the automatically generated node certificate files in /etc/pve/local/pve-ssl.pem/etc/pve/local/pve-ssl.key or the cluster CA files in /etc/pve/pve-root-ca.pem//etc/pve/priv/pve-root-ca.key. |
Copyright and Disclaimer
Copyright © 2007-2016 Proxmox Server Solutions GmbH
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License along with this program. If not, see http://www.gnu.org/licenses/