- cockpit
- Jonathan Haack
- Haack's Networking
- webmaster@haacksnetworking.org
cockpit
This tutorial covers how to set up an apache reverse proxy for cockpit. It is also used in conjunction with ufw, which limits connections to designated source IPs. This configuration of cockpit does not use NetworkManager. First, let's install cockpit:
. /etc/os-release
echo "deb http://deb.debian.org/debian ${VERSION_CODENAME}-backports main" > \
/etc/apt/sources.list.d/backports.list
apt update
apt install -t ${VERSION_CODENAME}-backports cockpit
apt remove network-manager
apt autoremove
apt install cockpit-machines
Now that cockpit is installed, let's make sure the firewall is setup to allow requests from the host itself (needed for Let's Encrypt requests) and from trusted source IPs of your choosing.
ufw allow from <server's IP> to any port 80 ufw allow from <server's IP> to any port 443 ufw allow from <trusted IP> to any port 80 ufw allow from <trusted IP> to any port 443 ufw allow from <trusted IP> to any port 9090 ufw allow from <trusted IP> to any proto udp port 1194 ufw allow from <trusted IP> to any proto tcp port 22
The above firewall rules will differ depending on one's setup and there are certainly other ways to do this. Once this is done, let's set up apache to serve cockpit to the trusted IPs.
sudo apt install apache sudo a2enmod proxy_http sudo a2enmod proxy sudo a2enmod rewrite sudo a2enmod ssl sudo a2enmod headers sudo nano /etc/apache2/sites-available/000-default.conf <enter the FQDN in the virtual host> a2ensite 000-default.conf sudo apache2ctl configtest
Once the host serves http requests without any issues, it's time to setup TLS. I prefer to use Let's Encrypt as follows:
sudo apt install certbot letsencrypt python3-certbot-apache sudo certbot --authenticator standalone --installer apache -d fqdn.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
Once the host serves https requests without any issues, it's time to replace the virtual host you set up above with a reverse proxy configuration. You will also need to delete the virtual host that Let's Encrypt setup as it will no longer be necessary.
cd /etc/apache2/sites-enabled rm 000-default-le-ssl.conf [name might differ] sudo nano 000-default.conf
In the virtual host that opens up, enter something like the following:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName fqdn.com Include /etc/letsencrypt/options-ssl-apache.conf ProxyPreserveHost On ProxyRequests Off ProxyPass / http://127.0.0.1:9090/ upgrade=websocket ProxyPassReverse / http://127.0.0.1:9090/ SSLCertificateFile /etc/letsencrypt/live/fqdn.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/fqdn.com/privkey.pem </VirtualHost> </IfModule>
In addition to setting apache to serve external requests to cockpit, you also need to configure cockpit to recognize your fqdn.com as a trusted origin:
sudo nano /etc/cockpit/cockpit.conf
In that file, enter the following:
[WebService] Origins = https://fqdn.com http://127.0.0.1:9090 ProtocolHeader = X-Forwarded-Proto AllowUnencrypted = true
Now that your virtual host is setup as a reverse proxy and your origin is trusted by cockpit, you should restart apache with systemctl restart apache2 and navigate to your cockpit instance https://fqdn.com. If you did everything correctly, cockpit will render and you will not need to append 9090 to the fqdn.com. Additionally, since you specified the host itself in the firewall rules above, it will be able to renew your certificate files every 3 months.
— oemb1905 2025/02/15 14:32
