Tras instalar Cockpit si queremos dar acceso hacia el exterior debemos configurar un virtualhost para cockpit y editar o crear un archivo en la ruta de instalación de Cockpit Project. A continuación dejo mis archivos de configuración para Cockpit en apache2 y nginx, ambos con redirecciones para ocultar el puerto y acceder de forma más elegante.
Si no hacemos esto en algunos casos nos encontraremos con la pantalla en blanco cuando nos conectamos, o tendremos que acceder utilizando el puerto.
Nota: Recordad cambiar los nombres por los que correspondan
Creamos el archivo /etc/apache2/sites-available/cockpit.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cockpit.dominio.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/dominio.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dominio.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPreserveHost On
ProxyRequests Off
# allow for upgrading to websockets
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:9090/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://127.0.0.1:9090/$1 [P,L]
# Proxy to your local cockpit instance
RequestHeader edit Origin ^https: http: early
ProxyPass /cockpit/socket ws://127.0.0.1:9090/cockpit/socket
ProxyPassReverse /cockpit/socket ws://127.0.0.1:9090/socket
ProxyPass / http://127.0.0.1:9090/
ProxyPassReverse / http://127.0.0.1:9090/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
</IfModule>
Activamos el sitio
sudo ln -s /etc/apache2/sites-available/cockpit.conf /etc/apache2/sites-enable/También podemos utilizar
a2ensite cockpit.confEditamos /etc/cockpit/cockpit.conf
[WebService]
Origins = https://cockpit.delcid.eu http://127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
Reiniciamos apache2
sudo systemctl restart apache2Creamos el archivo /etc/nginx/sites-available/cockpit.dominio.com
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
server 127.0.1.1:9090;
}
server {
listen 80;
listen [::]:80;
server_name cockpit.parkinsoncorvera.org;
return 301 https://cockpit.parkinsoncorvera.org$request_uri;
}
server {
listen 443 ssl http2;
server_name cockpit.parkinsoncorvera.org;
ssl on;
ssl_certificate /etc/letsencrypt/live/dominio.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dominio.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
# needed for websocket
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# change scheme of "Origin" to http
proxy_set_header Origin http://$host;
# Pass ETag header from cockpit to clients.
# See: https://github.com/cockpit-project/cockpit/issues/5239
gzip off;
}
}
Activamos el sitio
sudo ln -s /etc/nginx/sites-available/cockpit.conf /etc/nginx/sites-enable/Editamos /etc/cockpit/cockpit.conf
[WebService]
AllowUnencrypted=false
Origins = https://cockpit.dominio.com https://cockpit.dominio.com:9090
[WebService]
ProtocolHeader = X-Forwarded-Proto