Cockpit: Login don't work with caddy reverse-proxy

Created on 28 Sep 2019  路  10Comments  路  Source: cockpit-project/cockpit

Hello,
Cockpit version: 202.1
OS: Debian Sid

When I try to login on cockpit on the normal, self signed https (port 9090). Everything work perfectly.
But, to have a signed https instead of a self signed, (I use caddy for that). It work strangely.
Sometimes it works sometimes it doesn't. That's strange. ( ex: Last night it worked very well... )
The error I get when it don't work is :

                              Connection failed

        There was an unexpected error while connecting to the machine.
          Messages related to the failure might be found in the journal:
                                  journalctl -u cockpit

and, on the browser console, I get that :

          Erreur dans les liens source : request failed with status 401

how to reproduce :

Relevant parts of the system log are also useful:
cockpit logs :

sept. 28 07:42:34 servername cockpit-session[22847]: pam_ssh_add: Failed adding some keys
sept. 28 07:42:34 servername cockpit-session[22847]: pam_unix(cockpit:session): session  opened for user ertuit by (uid=0)
sept. 28 07:42:34 servername cockpit-ws[22515]: logged in user session
sept. 28 07:42:50 servername cockpit-ws[22515]: session timed out
sept. 28 07:43:03 servername cockpit-session[22911]: pam_ssh_add: Failed adding some keys
sept. 28 07:43:03 servername cockpit-session[22911]: pam_unix(cockpit:session): session  opened for user ertuit by (uid=0)
sept. 28 07:43:03 servername cockpit-ws[22515]: logged in user session

Steps to reproduce

  1. Install cockpit on a debian sid machine.
  2. Install caddy and configure the caddy file ( my configuration is that : )

my.domain.name:9091 {
proxy / localhost:9090 {
transparent
websocket
}
tls {
max_certs 1
}

  1. Run caddy
  2. Try to login into cockpit via the reverse-proxy, let's encrypt signed https by caddy.
  3. If it work reboot a few time the machine or wait a night.

However, the cockpit on port 9090, self signed still works very well.

normal

picture

noproblemeverythingnormal

( yes, I'm french...)

_also, on my other debian server, a debian stretch, I have the same problem but without having any error displayed. Instead I have a white screen. ( it's a different version of the cockpit)._

Thank you.
Ertuit.

Most helpful comment

Same problem for me behind traefik reverse proxy on an ubuntu 18.04

All 10 comments

I got exact the same problem on Debian using nginx, but couldnt find any solution so far.

Same problem for me behind traefik reverse proxy on an ubuntu 18.04

I am having a similar issue

cockpit.js:347 WebSocket connection to 'wss://<snip>.com/cockpit/socket' failed: Error during WebSocket handshake: Unexpected response code: 403

EDIT:

I was able to fix it by following https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-NGINX

I ended up having to adjust my proxy settings to allow websockets to connect

So did anybody resolved this with traefik v2?

Edit the fie (create if not existing) /etc/cockpit/cockpit.conf and add the following:

[WebService]
Origins = https://example.com

in Caddyfile I have the following:

example.com {
        proxy / localhost:9090  {
                websocket
        }
}

Works fine for me

Using Caddy v2, this config works for me.

/etc/caddy/Caddyfile

cockpit.example.com
reverse_proxy localhost:9090

/etc/cockpit/cockpit.conf

[WebService]
Origins = https://cockpit.example.com wss://cockpit.example.com
ProtocolHeader = X-Forwarded-Proto

this confiiguration with caddy v2 and debian 10 and cockpit v188 does not work

/etc/cockpit/cockpit.conf
[WebService]
Origins = https://cockpit.example.com wss://cockpit.example.com
ProtocolHeader = X-Forwarded-Proto

my caddyserver is on another machine (raspbian buster)
/etc/caddy/Caddyfile
cockpit.example.com {
reverse_proxy my.int.ern.al.ip:9090
}

I got it to work with those parameters in cockpit conf

/etc/cockpit/cockpit.conf
[WebService]
AllowUnencrypted = true
Origins = https://cockpit.example.com
ProtocolHeader = X-Forwarded-Proto

I am quite sure it is not a safe config, anyone got a better solution here ?!?

Any update? I have the same problem with apache2 and proxypass.

Traefik v2 still doesn't work

Was this page helpful?
0 / 5 - 0 ratings

Related issues

q2dg picture q2dg  路  6Comments

kai4785 picture kai4785  路  4Comments

FireDrunk picture FireDrunk  路  6Comments

jacksnodgrass picture jacksnodgrass  路  6Comments

tmjpugh picture tmjpugh  路  8Comments