Cockpit works on a web socket combined with http/https interface, Web Socket is used to deliver active content back and forth between client and server. But when a proxy sits in between, it needs to be configured likely.
We will need to create a virtual host, give the virtual host a domain name, install TLS/SSL certificate and set up a reverse proxy. (instructions adapted from here and here)
Install Apache web server with the following command:
sudo apt install apache2
Run the following command to create an Apache virtual host file. Replace the domain name with your actual domain name for Cockpit. Don’t forget to create an A record for this domain name.
sudo nano /etc/apache2/sites-available/cockpit.your-domain.com.conf
Put the following text into the file.
<VirtualHost *:80>
ServerName cockpit.your-domain.com
</VirtualHost>
Save and close the file. Enable this virtual host with the following command:
sudo a2ensite cockpit.your-domain.com.conf
Then restart Apache.
sudo systemctl restart apache2
HTTPS helps us prevent man-in-the-middle attack and password sniffing. We can obtain a free TLS/SSL certificate from Let’s Encrypt CA. First Let’s install the certbot client. The client is still named letsnecrypt in Ubuntu repository. The following command will install the client and apache plugin.
sudo apt install letsencrypt python-letsencrypt-apache
Now issue the following command to obtain a free TLS/SSL certificate. Replace the text with your actual data.
sudo letsencrypt --apache --agree-tos --email YOUR-EMAIL-ADDRESS -d COCKPIT.YOUR-DOMAIN.COM
You will be asked to choose easy or secure. It’s recommended to choose secure so that all http requests will be redirected to https.
Once you hit the OK button, a free TLS/SSL certificate is obtained and installed on the Apache virtual host.
Now copy the certificates information into the cockpit certificate folder using the following commands
cat /etc/letsencrypt/live/cockpit.your-domain.com/fullchain.pem >> /etc/cockpit/ws-certs.d/1-my-cert.cert
cat /etc/letsencrypt/live/cockpit.your-domain.com/privkey.pem >> /etc/cockpit/ws-certs.d/1-my-cert.cert
You will need to do this every time the certificate gets renewed (every 3 months).
To be able to proxy traffic using Apache, run the following commands to enable each of these Apache modules.
sudo a2enmod proxy proxy_wstunnel proxy_http ssl rewrite
Then run the following command to edit the new virtual host file created by Let’s Encrypt (certbot) client.
sudo nano /etc/apache2/sites-enabled/cockpit.your-domain.com-le-ssl.conf
Change this file so it looks like the following.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cockpit.your-domain.com
SSLCertificateFile /etc/letsencrypt/live/cockpit.your-domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cockpit.your-domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPreserveHost On
ProxyRequests Off
# allow for upgrading to websockets
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:9090/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://127.0.0.1:9090/$1 [P,L]
# Proxy to your local cockpit instance
ProxyPass / http://127.0.0.1:9090/
ProxyPassReverse / http://127.0.0.1:9090/
</VirtualHost>
</IfModule>
Save and close the file. Then restart Apache web server.
sudo systemctl restart apache2
Make sure you changed /etc/cockpit/cockpit.conf to include the following:
[WebService]
Origins = https://cockpit.your-domain.com http://127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
Restart cockpit
sudo systemctl restart cockpit.service
You can now log in to cockpit using your browser.
forked from cockpit-project