------------------------------------------- * **cockpit** * **Jonathan Haack** * **Haack's Networking** * **webmaster@haacksnetworking.org** ------------------------------------------- //cockpit// ------------------------------------------- This tutorial covers how to set up an apache reverse proxy for cockpit. It is also used in conjunction with ufw, which limits connections to designated source IPs. This configuration of cockpit does not use NetworkManager. First, let's install cockpit: . /etc/os-release echo "deb http://deb.debian.org/debian ${VERSION_CODENAME}-backports main" > \ /etc/apt/sources.list.d/backports.list apt update apt install -t ${VERSION_CODENAME}-backports cockpit apt remove network-manager apt autoremove apt install cockpit-machines Now that cockpit is installed, let's make sure the firewall is setup to allow requests from the host itself (needed for Let's Encrypt requests) and from trusted source IPs of your choosing. ufw allow from to any port 80 ufw allow from to any port 443 ufw allow from to any port 80 ufw allow from to any port 443 ufw allow from to any port 9090 ufw allow from to any proto udp port 1194 ufw allow from to any proto tcp port 22 The above firewall rules will differ depending on one's setup and there are certainly other ways to do this. Once this is done, let's set up apache to serve cockpit to the trusted IPs. sudo apt install apache sudo a2enmod proxy_http sudo a2enmod proxy sudo a2enmod rewrite sudo a2enmod ssl sudo a2enmod headers sudo nano /etc/apache2/sites-available/000-default.conf a2ensite 000-default.conf sudo apache2ctl configtest Once the host serves http requests without any issues, it's time to setup TLS. I prefer to use Let's Encrypt as follows: sudo apt install certbot letsencrypt python3-certbot-apache sudo certbot --authenticator standalone --installer apache -d fqdn.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2" Once the host serves https requests without any issues, it's time to replace the virtual host you set up above with a reverse proxy configuration. You will also need to delete the virtual host that Let's Encrypt setup as it will no longer be necessary. cd /etc/apache2/sites-enabled rm 000-default-le-ssl.conf [name might differ] sudo nano 000-default.conf In the virtual host that opens up, enter something like the following: ServerName fqdn.com Include /etc/letsencrypt/options-ssl-apache.conf ProxyPreserveHost On ProxyRequests Off ProxyPass / http://127.0.0.1:9090/ upgrade=websocket ProxyPassReverse / http://127.0.0.1:9090/ SSLCertificateFile /etc/letsencrypt/live/fqdn.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/fqdn.com/privkey.pem In addition to setting apache to serve external requests to cockpit, you also need to configure cockpit to recognize your fqdn.com as a trusted origin: sudo nano /etc/cockpit/cockpit.conf In that file, enter the following: [WebService] Origins = https://fqdn.com http://127.0.0.1:9090 ProtocolHeader = X-Forwarded-Proto AllowUnencrypted = true Now that your virtual host is setup as a reverse proxy and your origin is trusted by cockpit, you should restart apache with ''systemctl restart apache2'' and navigate to your cockpit instance ''https://fqdn.com''. If you did everything correctly, cockpit will render and you will not need to append ''9090'' to the fqdn.com. Additionally, since you specified the host itself in the firewall rules above, it will be able to renew your certificate files every 3 months. --- //[[alerts@haacksnetworking.org|oemb1905]] 2025/02/15 14:32//