Differences

This shows you the differences between two versions of the page.

--- computing:cockpit [2026/03/29 19:35] – oemb1905
+++ computing:cockpit [2026/03/30 16:49] (current) – oemb1905
@@ Line 11: / Line 11: @@
 -------------------------------------------
-This tutorial covers how to set up Cockpit on Debian. The approach here assumes that Cockpit will be installed on bare metal being used in production, with only ssh exposed. This tutorial assumes you already have a sufficiently hardened and provisioned VPS/VM w/ a LAMP stack and some associated A/AAAA records ready to go. If not, go read [[http://example.com|Apache Survival]] first and come back. If you are ready to go, then this tutorial will cover:
+=== Introduction ===
+This tutorial covers how to set up Cockpit on Debian. The approach here assumes that Cockpit will be installed on bare metal being used in production, with only ssh exposed. This tutorial assumes you already have a sufficiently hardened and provisioned VPS/VM w/ a LAMP stack and some associated A/AAAA records ready to go. If not, go read [[https://wiki.haacksnetworking.org/doku.php?id=computing:apachesurvival|Apache Survival]] first and come back. If you are ready to go, then this tutorial will cover:
-  * Unordered List ItemInstallation of Cockpit + Preferred Packages
+  * Installation of Cockpit + Preferred Packages
   * Setup of Apache Reverse Proxy; including setup for "with" and "without" 80/443 exposed/listening
   * Localhost w/ FoxyProxy
   * Official Cockpit Flatpak
-Introduction
+=== Install Cockpit & Configure Apache ===
 Let's install cockpit and then create an apache virtual host for it. After that, we will cut the cert, then swap the vhost configs with the reverse proxy config. Let's enable TLS modules and headers.
@@ Line 94: / Line 94: @@
 This instructs Cockpit's internal web socket system to trust the domain/origin and the web socket reverse proxy that we configured in apache. Restart the server or minimally restart cockpit+apache. Once they are restarted and their status healthy, navigate to ''domain.com'' in a browser and it should redirect to TLS and show the Cockpit landing page. If not, trace over the steps above and fix your work before proceeding.
-Topic 2 - Access and Hardening
+=== Discussion on Access to Cockpit ===
-There's a lot of debate about whether production servers that run virtualized services (VMs, containers, etc.) should be publicly exposed. The most common choice, however, is retaining ssh access and locking everything else down. That is, 80/443 will be closed. At first, this might seem counter-intuitive ... why would we close the ports for the reverse proxy we just set up? The answer is easy ... run everything through ssh! So, let's close down the host's ports:
+There's a lot of debate about whether production servers that run virtualized services (VMs, containers, etc.) should be publicly exposed. Now, if you fully trust your server and Cockpit's web auth, no need to continue. For most folks, however, retaining ssh access and locking everything else down is usually the go to ... meaning that 80/443 will be closed. At first, this might seem counter-intuitive ... why would we close the ports for the reverse proxy and/or web service we just set up? The answer is easy ... run everything through ssh and access it "locally"! So, let's close down the host's ports:
   sudo apt install ufw

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools