I had a hard time finding the information I needed to get Cockpit to work right behind an Apache reverse proxy setup. So, I decided to collect everything I found here for the future.
At first, I tried to setup cockpit under the /cockpit path but it kept failing. Apparently, that path is reserved by Cockpit, so I switched to using /ckpt/ instead.
/etc/cockpit/cockpit.conf
[WebService]
Origins = https://mydomain.com http://127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
UrlRoot = /ckpt/
ProxyPreserveHost On
ProxyRequests Off
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyCheckPeerExpire Off
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /ckpt/(.*) ws://127.0.0.1:9090/ckpt/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /ckpt/(.*) http://127.0.0.1:9090/ckpt/$1 [P,L]
ProxyPass /ckpt/ http://127.0.0.1:9090/ckpt/
ProxyPassReverse /ckpt/ http://127.0.0.1:9090/ckpt/
+--+
| |
| | +--------------------------+
+--------------------------+ | | | |
| | | | | |
| | +-----+--+-----+ | |
| | | | | Remote Machine (C) |
| Local Machine (A) | | | | |
| | | | | |
| | | Jump Server | | |
| | | | | |
| | | (B) | | |
| | | | | |
| | | | | |
| | | | | |
| | | | +--------------------------+
+--------------------------+ | |
+-----+--+-----+
| |
| |
| |
+--+
Machine A can get to Machine B
Machine B can get to Machine C
Machine A CAN NOT get to Machine C directly.
Most people will use SSH to connect from Machine A to Machine B, then use SSH again to connect from Machine B to Machine C.
Add the following to SSH config
Host hostb
User myself
Hostname machineB
Host hostc
User myself
Hostname machineC
Port 22
ProxyCommand ssh -q -W %h:%p hostb
With this configuration, SSH can be used to connect directly from Machine A to Machine C. SSH will automatically direct the connection through Machine B.