This is an old revision of the document!
- cockpit
- Jonathan Haack
- Haack's Networking
- webmaster@haacksnetworking.org
cockpit
This tutorial covers how to set up Cockpit on Debian. The approach here assumes that Cockpit will be installed on bare metal being used in production, with only ssh exposed. This tutorial assumes you already have a sufficiently hardened and provisioned VPS/VM w/ a LAMP stack and some associated A/AAAA records ready to go. If not, go read Apache Survival first and come back. If you are ready to go, then this tutorial will cover:
- Installation of Cockpit + Preferred Packages - Setup of Apache Reverse Proxy; including setup for “with” and “without” 80/443 exposed/listening - Localhost w/ FoxyProxy - Official Cockpit Flatpak
#### Introduction #### Let's add install cockpit
The above firewall rules will differ depending on one's setup and there are certainly other ways to do this. Once this is done, let's set up apache to serve cockpit to the trusted IPs.
sudo apt install apache sudo a2enmod proxy_http sudo a2enmod proxy sudo a2enmod rewrite sudo a2enmod ssl sudo a2enmod headers sudo nano /etc/apache2/sites-available/000-default.conf <enter the FQDN in the virtual host> a2ensite 000-default.conf sudo apache2ctl configtest
Once the host serves http requests without any issues, it's time to setup TLS. I prefer to use Let's Encrypt as follows:
sudo apt install certbot letsencrypt python3-certbot-apache sudo certbot --authenticator standalone --installer apache -d fqdn.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
Once the host serves https requests without any issues, it's time to replace the virtual host you set up above with a reverse proxy configuration. You will also need to delete the virtual host that Let's Encrypt setup as it will no longer be necessary.
cd /etc/apache2/sites-enabled rm 000-default-le-ssl.conf [name might differ] sudo nano 000-default.conf
In the virtual host that opens up, enter something like the following:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName fqdn.com Include /etc/letsencrypt/options-ssl-apache.conf ProxyPreserveHost On ProxyRequests Off ProxyPass / http://127.0.0.1:9090/ upgrade=websocket ProxyPassReverse / http://127.0.0.1:9090/ SSLCertificateFile /etc/letsencrypt/live/fqdn.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/fqdn.com/privkey.pem </VirtualHost> </IfModule>
In addition to setting apache to serve external requests to cockpit, you also need to configure cockpit to recognize your fqdn.com as a trusted origin:
sudo nano /etc/cockpit/cockpit.conf
In that file, enter the following:
[WebService] Origins = https://fqdn.com http://127.0.0.1:9090 ProtocolHeader = X-Forwarded-Proto AllowUnencrypted = true
Now that your virtual host is setup as a reverse proxy and your origin is trusted by cockpit, you should restart apache with systemctl restart apache2 and navigate to your cockpit instance https://fqdn.com. If you did everything correctly, cockpit will render and you will not need to append 9090 to the fqdn.com. Additionally, since you specified the host itself in the firewall rules above, it will be able to renew your certificate files every 3 months.
— oemb1905 2025/02/15 14:32
