[pve-devel] [PATCH docs] pveproxy: document newly added options

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Dec 17 13:57:33 CET 2021

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
 pveproxy.adoc | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/pveproxy.adoc b/pveproxy.adoc
index 4696d66..8fc6195 100644
--- a/pveproxy.adoc
+++ b/pveproxy.adoc
@@ -117,9 +117,11 @@ effect.
 SSL Cipher Suite
-You can define the cipher list in `/etc/default/pveproxy`, for example
+You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS`
+(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example
 Above is the default. See the ciphers(1) man page from the openssl
 package for a list of all available options.
@@ -131,6 +133,25 @@ both client and `pveproxy`):
+Supported TLS versions
+The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy.
+TLS versions below 1.1 are disabled by default on recent OpenSSL versions,
+which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`).
+To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pveproxy`:
+or, respectively:
+NOTE: Unless there is a specific reason to do so, it is not recommended to
+manually adjust the supported TLS versions.
 Diffie-Hellman Parameters
@@ -157,6 +178,13 @@ pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
 `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
 The private key may not use a passphrase.
+It is possible to override the location of the certificate private key by
+setting `TLS_KEY_FILE` in `/etc/default/pveproxy`, for example:
+ TLS_KEY_FILE="/secrets/pveproxy.key"
+NOTE: The included ACME integration does not honor this setting.
 See the Host System Administration chapter of the documentation for details.

More information about the pve-devel mailing list