Commit 787217cd authored by Dietmar Maurer's avatar Dietmar Maurer

allow to configure cipher list for pveproxy

parent d7644255
...@@ -201,6 +201,7 @@ sub read_proxy_config { ...@@ -201,6 +201,7 @@ sub read_proxy_config {
$shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";'; $shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
$shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";'; $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
$shcmd .= 'echo \"POLICY:\$POLICY\";'; $shcmd .= 'echo \"POLICY:\$POLICY\";';
$shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
my $data = -f $conffile ? `bash -c "$shcmd"` : ''; my $data = -f $conffile ? `bash -c "$shcmd"` : '';
...@@ -218,6 +219,8 @@ sub read_proxy_config { ...@@ -218,6 +219,8 @@ sub read_proxy_config {
} elsif ($key eq 'POLICY') { } elsif ($key eq 'POLICY') {
die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/; die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
$res->{$key} = $value; $res->{$key} = $value;
} elsif ($key eq 'CIPHERS') {
$res->{$key} = $value;
} else { } else {
# silently skip everythin else? # silently skip everythin else?
} }
......
...@@ -92,7 +92,7 @@ eval { ...@@ -92,7 +92,7 @@ eval {
logfile => '/var/log/pveproxy/access.log', logfile => '/var/log/pveproxy/access.log',
lockfile => $lockfile, lockfile => $lockfile,
ssl => { ssl => {
cipher_list => 'HIGH:MEDIUM:!aNULL:!MD5', cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
key_file => '/etc/pve/local/pve-ssl.key', key_file => '/etc/pve/local/pve-ssl.key',
cert_file => '/etc/pve/local/pve-ssl.pem', cert_file => '/etc/pve/local/pve-ssl.pem',
}, },
...@@ -288,6 +288,15 @@ The default policy is 'allow'. ...@@ -288,6 +288,15 @@ The default policy is 'allow'.
No match | deny | allow No match | deny | allow
Match Both Allow & Deny | deny | allow Match Both Allow & Deny | deny | allow
=head1 SSL Cipher Suite
You can define the chiper list in /etc/default/pveproxy, for example
CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
Above is the default. See the ciphers(1) man page from the openssl
package for list of all available options.
=head1 FILES =head1 FILES
/etc/default/pveproxy /etc/default/pveproxy
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment