Reverse Proxy setup for Cockpit with Apache (in a sub directory)

From evermeet.cx Wiki
Jump to navigation Jump to search

Introduction

The task: run Cockpit in a sub directory e.g. https://example.com/cp/

It should have been simple enough, but once again the Internet has failed me. All articles that I had found only explained how to setup a reverse proxy in a separate virtual host in the document root of the server. This was not what I wanted. None of the articles had all the moving parts that would have allowed me to extrapolate a config that worked.

Cockpit

Cockpit is a web-based graphical interface for servers. While I usually work on the command line, there are a few situations in which my much preferred ssh session won't do. (e.g. sitting in front of a locked down client system with no access to the command line.)

I just wanted to have it available for emergencies if all else fails, but I didn't want to set it up in a separate virtual host and neither in the document root of said virtual host.

The documentation of the web service specifically mentions that one can't use /cockpit/ or /cockpit+ as a sub directory, because they are reserved. I still think it is possible, but I just chose another sub directory: /cp/

/etc/cockpit/cockpit.conf

[WebService]
Origins = https://example.com http://127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
UrlRoot = /cp/

Don't forget to restart the service.

Reverse Proxy setup

The following Apache directives will configure the reverse proxy.

ProxyPreserveHost       On
ProxyRequests           Off

SSLProxyVerify          None
SSLProxyCheckPeerCN     Off
SSLProxyCheckPeerName   Off
SSLProxyCheckPeerExpire Off

# allow for upgrading to websockets
RewriteEngine On
RewriteCond %{HTTP:Upgrade}    =websocket [NC]
RewriteRule /cp/(.*)           ws://127.0.0.1:9090/cp/$1 [P,L]
RewriteCond %{HTTP:Upgrade}    !=websocket [NC]
RewriteRule /cp/(.*)           http://127.0.0.1:9090/cp/$1 [P,L]

# Proxy to your local cockpit instance
ProxyPass        /cp/          http://127.0.0.1:9090/cp/
ProxyPassReverse /cp/          http://127.0.0.1:9090/cp/

If you want to use TLS behind the reverse proxy, you will have to replace http with https, and ws with wss. Furthermore the SSLProxy directives must be removed.

In the Cockpit configuration, you will also have to concatenate the full chain and the key, and put the resulting file in the /etc/cockpit/ws-certs.d directory.