-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Proxying Cockpit over NGINX
Cockpit works on a web socket combined with http/https interface, Web Socket is used to deliver active content back and forth between client and server. But when a proxy sits in between, it needs to be configured likely.
To configure Cockpit proxy over NGINX, create a server virtual block (here is a reference guide) and add the following lines to it. This config would deliver specific set of work environments, do read the description to change config to your custom needs.
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
server 127.0.0.1:9090;
}
server {
listen 80;
server_name cockpit.domain.tld www.cockpit.domain.tld;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name www.cockpit.domain.tld cockpit.domain.tld;
ssl on;
ssl_certificate /path/to/certificate;
ssl_certificate_key /path/to/key;
location / {
proxy_pass http://127.0.0.1:9090;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
# needed for websocket
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# change scheme of "Origin" to http
proxy_set_header Origin http://$host;
# Pass ETag header from cockpit to clients.
# See: https://github.com/cockpit-project/cockpit/issues/5239
gzip off;
}
}
By default Cockpit uses http protocol to connect to localhost, Since our proxy would likely reside on localhost we would redirect all http client requests to https
return 301 https://$server_name$request_uri;
By default cockpit generates a ssl certificate which is stored at /etc/cockpit/ws-certs.d/
In our case we would used NGINX to do all the TLS encryption work.
Edit these lines with your own ssl server and client keys:
ssl_certificate /path/to/certificate;
ssl_certificate_key /path/to/key;
Here is How to generate our self signed SSL
This would enable us to redirect to Cockpit via this proxy host.