Cockpit/Apache Reverse Proxy Setup

March 14, 2022 - Reading time: ~1 minute

I had a hard time finding the information I needed to get Cockpit to work right behind an Apache reverse proxy setup. So, I decided to collect everything I found here for the future.

At first, I tried to setup cockpit under the /cockpit path but it kept failing. Apparently, that path is reserved by Cockpit, so I switched to using /ckpt/ instead.

  1. Create config file: /etc/cockpit/cockpit.conf
  2. Add contents:
    [WebService]
    Origins = https://mydomain.com http://127.0.0.1:9090
    ProtocolHeader = X-Forwarded-Proto
    AllowUnencrypted = true
    UrlRoot = /ckpt/
  3. Restart Cockpit
  4. Add Apache directives to chosen VirtualHost:
    ProxyPreserveHost On
    ProxyRequests Off
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off
    SSLProxyCheckPeerExpire Off
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /ckpt/(.*) ws://127.0.0.1:9090/ckpt/$1 [P,L]
    RewriteCond %{HTTP:Upgrade} !=websocket [NC]
    RewriteRule /ckpt/(.*) http://127.0.0.1:9090/ckpt/$1 [P,L]
    ProxyPass /ckpt/ http://127.0.0.1:9090/ckpt/
    ProxyPassReverse /ckpt/ http://127.0.0.1:9090/ckpt/
  5. Restart Apache

SSH ProxyCommand for jumping servers

January 24, 2022 - Reading time: ~1 minute
                                         +--+
                                         |  |
                                         |  |            +--------------------------+
+--------------------------+             |  |            |                          |
|                          |             |  |            |                          |
|                          |       +-----+--+-----+      |                          |
|                          |       |              |      |   Remote Machine (C)     |
|  Local Machine (A)       |       |              |      |                          |
|                          |       |              |      |                          |
|                          |       | Jump Server  |      |                          |
|                          |       |              |      |                          |
|                          |       |     (B)      |      |                          |
|                          |       |              |      |                          |
|                          |       |              |      |                          |
|                          |       |              |      |                          |
|                          |       |              |      +--------------------------+
+--------------------------+       |              |
                                   +-----+--+-----+
                                         |  |
                                         |  |
                                         |  |
                                         +--+

Getting to a server behind a firewall

Machine A can get to Machine B

Machine B can get to Machine C

Machine A CAN NOT get to Machine C directly.

Most people will use SSH to connect from Machine A to Machine B, then use SSH again to connect from Machine B to Machine C.

Another option: ProxyCommand

Add the following to SSH config

Host hostb
    User myself
    Hostname machineB

Host hostc
    User myself
    Hostname machineC
    Port 22
    ProxyCommand ssh -q -W %h:%p hostb

With this configuration, SSH can be used to connect directly from Machine A to Machine C. SSH will automatically direct the connection through Machine B.


Categories