Hey guys,
I have configured an apache 2.4 like described here: https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-Apache-with-LetsEncrypt
Unfortunately I can see some weird issues:
The login page "look" ok. But there is a console error regarding the source map.
After entering login data
OS: CentOS 7.4
httpd: httpd-2.4.6-67.el7.centos.6.x86_64
cockpit: cockpit-ws-157-1.el7.centos.x86_64
If needed I can provide additional information and you can also contact me via IRC sometimes.
Regards,
Daniel
How is your reverse proxy configured for Cockpit? Mine is configured to go to https://www.domain.com/manage/ instead of https://www.domain.com:9090. I had issues with mine displaying blank pages originally but got it to work with the below settings.
Here's the relevant Apache config I used to get it working.
<VirtualHost *:443>
ServerName www.domain.com
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/www.domain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.domain.com.key
SSLCertificateChainFile /etc/apache2/ssl/ca-chain.cert.pem
ServerAdmin [email protected]
DocumentRoot /var/www
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RequestHeader unset X-Forwarded-Proto
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
ProxyPreserveHost On
ProxyPass /manage https://localhost:9090/manage
ProxyPassReverse /manage https://localhost:9090/manage
<LocationMatch "^/manage/cockpi(t[^/]+|t)?/socket$">
ProxyPassMatch "ws://localhost:9090/manage/cockpi$1/socket"
</LocationMatch>
</VirtualHost>
Make sure that you enable Apache modules with a2enmod proxy proxy_wstunnel proxy_http ssl rewrite (which I am assuming you have already from the instructions you linked).
Also, here is my /etc/cockpit/cockpit.conf. If you are configuring your reverse proxy like mine with a sub-site, then you must create the cockpit.conf file and set the below settings.
[WebService]
ProtocolHeader = X-Forwarded-Proto
UrlRoot=/manage/
Hope that helps.
Hey, the above config will use the cert in cockpit. my goal is to terminate the ssl in httpd already.
The issue seems, that even with AllowUnencrypted = true in /etc/cockpit/cockpit.conf cockpit tries to use wss instead of ws.
<VirtualHost www.domain.com:443>
ServerName www.domain.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/wwww.domain.com/chain.pem
# SSL Cipher
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
ProxyPreserveHost On
ProxyRequests Off
# Proxy to your local cockpit instance
ProxyPass / http://127.0.0.1:9090/
ProxyPassReverse / http://127.0.0.1:9090/
ProxyPass /cockpit/socket ws://127.0.0.1:9090/cockpit/socket
ProxyPassReverse /cockpit/socket ws://127.0.0.1:9090/cockpit/socket
</VirtualHost>
Sorry I should have mentioned that I am using my domain certificate in Cockpit using these instructions.
As for terminating SSL in httpd, I'm not sure about this. Just another end user here :)
Not a problem :+1: I am always happy, if somebody takes care. Every help is welcome.
Had to fix this again after a reinstall. In my case needed the following /etc/cockpit/cockpit.conf
[WebService]
Origins = https://cockpit.mydomain http://127.0.0.1:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
I experience the exact same issue but it had worked previously. I have set up a proper Let's Encrypt certificate and domain. Any ideas?
Here is the full config that got me proxying working in Apache without using a virtualhost. I used the name cockpit-new because the docs say cockpit and cockpit+ are reserved.
[WebService]
Origins = https://MYDOMAIN.COM http://MYDOMAIN.COM https://localhost:9090 http://localhost:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
UrlRoot = /cockpit-new/
ProxyPass /cockpit-new/cockpit/socket ws://localhost:9090/cockpit-new/cockpit/socket
ProxyPassReverse /cockpit-new/cockpit/socket ws://localhost:9090/cockpit-new/cockpit/socket
ProxyPass /cockpit-new/ http://localhost:9090/cockpit-new/
ProxyPassReverse /cockpit-new/ http://localhost:9090/cockpit-new/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
Redirect permanent /cockpit-new /cockpit-new/
ProxyVia On
While this works to setup cockpit to run in a subfolder, and it works in Chrome, it does not work in Safari or iOS due to this error
Refused to connect to wss://your-site.com/cockpit-new/cockpit/socket because it does not appear in the connect-src directive of the Content Security Policy.
cockpit.js:365
I have tried overriding the header through Apache but no success as yet.
Most helpful comment
Here is the full config that got me proxying working in Apache without using a virtualhost. I used the name cockpit-new because the docs say cockpit and cockpit+ are reserved.
/etc/cockpit/cockpit.conf
[WebService]
Origins = https://MYDOMAIN.COM http://MYDOMAIN.COM https://localhost:9090 http://localhost:9090
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
UrlRoot = /cockpit-new/
/etc/apache2/apache2.conf
ProxyPass /cockpit-new/cockpit/socket ws://localhost:9090/cockpit-new/cockpit/socket
ProxyPassReverse /cockpit-new/cockpit/socket ws://localhost:9090/cockpit-new/cockpit/socket
ProxyPass /cockpit-new/ http://localhost:9090/cockpit-new/
ProxyPassReverse /cockpit-new/ http://localhost:9090/cockpit-new/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
Redirect permanent /cockpit-new /cockpit-new/
ProxyVia On