In the first two parts of this tutorial we looked first at the initial setup and configuration of Cockpit, then how to add additional hosts.
In this third and final part, we shall put Cockpit behind a reverse proxy.
Scenario
If you have been following this tutorial series you will have Cockpit running on a host and available on port 9090. If you are also running NGINX then you may choose to use that as a ‘reverse proxy’ and have Cockpit available on the common https port 443.
If you are not using a webserver, you could use your firewall to redirect traffic on 443 to 9090.
Configuration
NGINX
Update the configuration of the host (probably /etc/nginx/sites-enabled/default
) to be two server blocks as follows.
server { listen 80; listen [::]:80; server_name www.example.net; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name www.example.net; ssl_certificate /etc/letsencrypt/live/www.example.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.example.net/privkey.pem; location / { # Required to proxy the connection to Cockpit proxy_pass http://127.0.0.1:9090; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; # Required for web sockets to function proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Pass ETag header from Cockpit to clients. # See: https://github.com/cockpit-project/cockpit/issues/5239 gzip off; } }
Now test your config and reload NGINX
root@host0:~# service nginx configtest [ ok ] Testing nginx configuration:. root@host0:~# service nginx reload
Cockpit
So far, we have not touched a Cockpit configuration file. In fact, Debian does not even create one by default as it is not needed. But here, we will need to create one at /etc/cockpit/cockpit.conf
and insert the following text.
[WebService] Origins = https://www.example.net wss://www.example.net ProtocolHeader = X-Forwarded-Proto
This allows Cockpit to serve unencrypted pages if the header is set, and bypasses the cross-domain checks for the origin.
Restart Cockpit
root@host0:~# service cockpit stop && service cockpit start
Testing and cleanup
You an now navigate to your host, but you will no longer need the port 9090 in the URL.
Remember to close port 9090 on your firewall if you only want Cockpit to be available via the NGINX reverse proxy.
Summary
Cockpit is a great admin tool that is easy to install and scale out to other hosts. This tutorial has walked you through the various steps to initially install Cockpit, then extend it to other servers and ultimately put behind a reverse proxy.