Deploying Cockpit on Debian – Part 3

In the first two parts of this tutorial we looked first at the initial setup and configuration of Cockpit, then how to add additional hosts.

In this third and final part, we shall put Cockpit behind a reverse proxy.


If you have been following this tutorial series you will have Cockpit running on a host and available on port 9090. If you are also running NGINX then you may choose to use that as a ‘reverse proxy’ and have Cockpit available on the common https port 443.

If you are not using a webserver, you could use your firewall to redirect traffic on 443 to 9090.



Update the configuration of the host (probably /etc/nginx/sites-enabled/default) to be two server blocks as follows.

server {
    listen 80;
    listen [::]:80;
    return 301 https://$server_name$request_uri;

server {     
    listen         443 ssl;     

    ssl_certificate /etc/letsencrypt/live/;
   ssl_certificate_key /etc/letsencrypt/live/;

    location / {         
        # Required to proxy the connection to Cockpit                 
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function 
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See:         
        gzip off;

Now test your config and reload NGINX

root@host0:~# service nginx configtest
[ ok ] Testing nginx configuration:.

root@host0:~# service nginx reload


So far, we have not touched a Cockpit configuration file. In fact, Debian does not even create one by default as it is not needed. But here, we will need to create one at /etc/cockpit/cockpit.conf and insert the following text.

Origins = wss://
ProtocolHeader = X-Forwarded-Proto

This allows Cockpit to serve unencrypted pages if the header is set, and bypasses the cross-domain checks for the origin.

Restart Cockpit

 root@host0:~# service cockpit stop && service cockpit start

Testing and cleanup

You an now navigate to your host, but you will no longer need the port 9090 in the URL.

Remember to close port 9090 on your firewall if you only want Cockpit to be available via the NGINX reverse proxy.


Cockpit is a great admin tool that is easy to install and scale out to other hosts. This tutorial has walked you through the various steps to initially install Cockpit, then extend it to other servers and ultimately put behind a reverse proxy.