Cockpit: Proxy over Apache giving blank pages

Created on 24 Feb 2018  路  8Comments  路  Source: cockpit-project/cockpit

Hey guys,

I have configured an apache 2.4 like described here: https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-Apache-with-LetsEncrypt

Unfortunately I can see some weird issues:

Behaviour

  1. The login page "look" ok. But there is a console error regarding the source map.

  2. After entering login data

    • In the JS console a connection to wss://something/cockpit/socket is tried.
    • It is related to cockpit.js:293:24.
    • The page keeps completely blank.
    • All solutions/discussion in #5934 seems not to help.

Information

OS: CentOS 7.4
httpd: httpd-2.4.6-67.el7.centos.6.x86_64
cockpit: cockpit-ws-157-1.el7.centos.x86_64

If needed I can provide additional information and you can also contact me via IRC sometimes.

Regards,
Daniel

bug question

Most helpful comment

Here is the full config that got me proxying working in Apache without using a virtualhost. I used the name cockpit-new because the docs say cockpit and cockpit+ are reserved.

/etc/cockpit/cockpit.conf

[WebService]
Origins = https://MYDOMAIN.COM http://MYDOMAIN.COM https://localhost:9090 http://localhost:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
UrlRoot = /cockpit-new/

/etc/apache2/apache2.conf

ProxyPass /cockpit-new/cockpit/socket ws://localhost:9090/cockpit-new/cockpit/socket
ProxyPassReverse /cockpit-new/cockpit/socket ws://localhost:9090/cockpit-new/cockpit/socket

ProxyPass /cockpit-new/ http://localhost:9090/cockpit-new/
ProxyPassReverse /cockpit-new/ http://localhost:9090/cockpit-new/

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

Redirect permanent /cockpit-new /cockpit-new/
ProxyVia On

All 8 comments

How is your reverse proxy configured for Cockpit? Mine is configured to go to https://www.domain.com/manage/ instead of https://www.domain.com:9090. I had issues with mine displaying blank pages originally but got it to work with the below settings.

Here's the relevant Apache config I used to get it working.

<VirtualHost *:443>
        ServerName www.domain.com
        SSLEngine On
        SSLProxyEngine On
        SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key
        SSLCertificateChainFile /etc/apache2/ssl/ca-chain.cert.pem
        ServerAdmin [email protected]
        DocumentRoot /var/www
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        RequestHeader unset X-Forwarded-Proto
        RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
        ProxyPreserveHost On
        ProxyPass /manage https://localhost:9090/manage
        ProxyPassReverse /manage https://localhost:9090/manage
        <LocationMatch "^/manage/cockpi(t[^/]+|t)?/socket$">
            ProxyPassMatch "ws://localhost:9090/manage/cockpi$1/socket"
        </LocationMatch>
</VirtualHost>

Make sure that you enable Apache modules with a2enmod proxy proxy_wstunnel proxy_http ssl rewrite (which I am assuming you have already from the instructions you linked).

Also, here is my /etc/cockpit/cockpit.conf. If you are configuring your reverse proxy like mine with a sub-site, then you must create the cockpit.conf file and set the below settings.

[WebService]
ProtocolHeader = X-Forwarded-Proto
UrlRoot=/manage/

Hope that helps.

Hey, the above config will use the cert in cockpit. my goal is to terminate the ssl in httpd already.

The issue seems, that even with AllowUnencrypted = true in /etc/cockpit/cockpit.conf cockpit tries to use wss instead of ws.

<VirtualHost www.domain.com:443>
  ServerName www.domain.com
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/www.domain.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/wwww.domain.com/chain.pem

# SSL Cipher
  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
  SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  SSLHonorCipherOrder     on
  SSLCompression          off

  ProxyPreserveHost On
  ProxyRequests Off

  # Proxy to your local cockpit instance
  ProxyPass / http://127.0.0.1:9090/
  ProxyPassReverse / http://127.0.0.1:9090/
  ProxyPass /cockpit/socket ws://127.0.0.1:9090/cockpit/socket
  ProxyPassReverse /cockpit/socket ws://127.0.0.1:9090/cockpit/socket

</VirtualHost>

Sorry I should have mentioned that I am using my domain certificate in Cockpit using these instructions.

As for terminating SSL in httpd, I'm not sure about this. Just another end user here :)

Not a problem :+1: I am always happy, if somebody takes care. Every help is welcome.

Had to fix this again after a reinstall. In my case needed the following /etc/cockpit/cockpit.conf

[WebService]
Origins = https://cockpit.mydomain http://127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true

I experience the exact same issue but it had worked previously. I have set up a proper Let's Encrypt certificate and domain. Any ideas?

Here is the full config that got me proxying working in Apache without using a virtualhost. I used the name cockpit-new because the docs say cockpit and cockpit+ are reserved.

/etc/cockpit/cockpit.conf

[WebService]
Origins = https://MYDOMAIN.COM http://MYDOMAIN.COM https://localhost:9090 http://localhost:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
UrlRoot = /cockpit-new/

/etc/apache2/apache2.conf

ProxyPass /cockpit-new/cockpit/socket ws://localhost:9090/cockpit-new/cockpit/socket
ProxyPassReverse /cockpit-new/cockpit/socket ws://localhost:9090/cockpit-new/cockpit/socket

ProxyPass /cockpit-new/ http://localhost:9090/cockpit-new/
ProxyPassReverse /cockpit-new/ http://localhost:9090/cockpit-new/

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

Redirect permanent /cockpit-new /cockpit-new/
ProxyVia On

While this works to setup cockpit to run in a subfolder, and it works in Chrome, it does not work in Safari or iOS due to this error

Refused to connect to wss://your-site.com/cockpit-new/cockpit/socket because it does not appear in the connect-src directive of the Content Security Policy.
cockpit.js:365

I have tried overriding the header through Apache but no success as yet.

Was this page helpful?
0 / 5 - 0 ratings