Skip to content

Proxying Cockpit over NGINX

Jump to bottom Edit New page
Florent Thiery edited this page Sep 14, 2017 · 10 revisions

Cockpit works on a web socket combined with http/https interface, Web Socket is used to deliver active content back and forth between client and server. But when a proxy sits in between, it needs to be configured likely.

To configure Cockpit proxy over NGINX, create a server virtual block (here is a reference guide) and add the following lines to it. This config would deliver specific set of work environments, do read the description to change config to your custom needs.

map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

upstream websocket {
server 127.0.0.1:9090;
}

server {
       listen         80;
       server_name    cockpit.domain.tld www.cockpit.domain.tld;
       return         301 https://$server_name$request_uri;
}

server {
    listen 443;
    server_name www.cockpit.domain.tld cockpit.domain.tld;

        ssl on;
        ssl_certificate /path/to/certificate;
        ssl_certificate_key /path/to/key;

    location / {
        proxy_pass http://127.0.0.1:9090;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        # needed for websocket
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        # change scheme of "Origin" to http
        proxy_set_header Origin http://$host;

        # Pass ETag header from cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

By default Cockpit uses http protocol to connect to localhost, Since our proxy would likely reside on localhost we would redirect all http client requests to https return 301 https://$server_name$request_uri;

By default cockpit generates a ssl certificate which is stored at /etc/cockpit/ws-certs.d/ In our case we would used NGINX to do all the TLS encryption work. Edit these lines with your own ssl server and client keys:

ssl_certificate /path/to/certificate;
ssl_certificate_key /path/to/key;

Here is How to generate our self signed SSL

This would enable us to redirect to Cockpit via this proxy host.

If you need to serve cockpit under a different URL (e.g. /my-custom-url), you need to define it in the /etc/cockpit/cockpit.conf file

[WebService]
AllowUnencrypted=true
UrlRoot=/my-custom-url/

Home / About / Contributing / Cockpit project website

Home

About

Contributing

Design Guidelines

Team/Project guidelines

User Experience Research

Clone this wiki locally