Cockpit Setup with Reverse Proxy

Disclaimer

In this guide, I will use Fedora 41 Cloud Edition as the base operating system. Some steps may vary depending on the distribution you are using.

Introduction

• Cockpit is a web-based server management tool that allows you to monitor and manage multiple servers from a single interface. It provides an easy-to-use dashboard that displays system information and logs. In this guide I will show you how to install Cockpit on your server and set it up behind a reverse proxy.

Step 1: Install Cockpit

• The first step is to install Cockpit on your server. You can do this by running command:

• For Debian/Ubuntu:

  sudo apt update
  sudo apt install cockpit

• For CentOS/RHEL:

  sudo yum install cockpit

• For arch-based distros:

  sudo pacman -S cockpit

  

Step 2: Enable and Start Cockpit

• Once Cockpit is installed, you need to enable and start the Cockpit service. You can do this by running the following commands:

  sudo systemctl enable --now cockpit.socket

  

Step 3: Configure Firewall for Testing Cockpit

• If a firewall is enabled on your server and you are not using a reverse proxy, you will need to allow traffic on port 9090 (the default Cockpit port). You can do this by running the following commands:

• For UFW:

  sudo ufw allow 9090/tcp

• For FirewallD:

  sudo firewall-cmd --permanent --zone="$(firewall-cmd --get-default-zone)" --add-service=cockpit
  sudo firewall-cmd --reload

  

Step 4: Access Cockpit Web Interface

• Once Cockpit is installed and running, you can access the web interface by navigating to https://your-server-ip:9090 in your web browser. You will be prompted to log in with your server username and password.

  

• If you get the Cockpit login page, then you have successfully installed Cockpit. Then you can close the cockpit port 9090 as follows:

  • For UFW:

    sudo ufw delete allow 9090/tcp

  • For FirewallD:

    sudo firewall-cmd --permanent --zone="$(firewall-cmd --get-default-zone)" --remove-service=cockpit
    sudo firewall-cmd --reload

    

Step 5: Set Up Reverse Proxy

• To use Cockpit behind a reverse proxy, you need to configure your web server to forward requests to the Cockpit service. Here is a sample configuration for web servers:

• Apache

  • Create a new Apache configuration file for your domain:

    sudo vim /etc/apache2/sites-available/your-domain.com.conf

  • Add the following configuration to the file:

    <VirtualHost *:80>
        ServerName your-domain.com
        Redirect permanent / https://your-domain.com/
    </VirtualHost>
     
    <VirtualHost *:443>
        ServerName your-domain.com
     
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
     
        ProxyPass / http://localhost:9090/
        ProxyPassReverse / http://localhost:9090/
     
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

  • Save the configuration file and reload Apache:

    sudo systemctl reload apache2

• Caddy

Note

If you don’t have Caddy installed, you can follow this guide to install it.

• Open the Caddyfile for editing:

  sudo vim /etc/caddy/Caddyfile

• Add the following configuration to the file:

  your-domain.com {
      ...
      reverse_proxy localhost:9090
  }

  Note

  Replace your-domain.com with your actual domain name.
  If you want to use authorization with Caddy, you can follow this guide.

  

• Save the Caddyfile and reload Caddy:

  sudo systemctl reload caddy

• Nginx

  • Create a new Nginx configuration file for your domain:

    sudo vim /etc/nginx/sites-available/your-domain.com

  • Add the following configuration to the file:

    server {
        listen 80;
        listen [::]:80;
     
        server_name your-domain.com;
     
        rewrite ^ https://$host$request_uri? permanent;
    }
     
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
     
        server_name your-domain.com;
     
        ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
        ssl_protocols TLSv1.2 TLSv1.3;
     
        location / {
            proxy_pass http://localhost:9090;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

  • Save the configuration file and enable the site:

    sudo ln -s /etc/nginx/sites-available/your-domain.com /etc/nginx/sites-enabled/
    sudo systemctl reload nginx

• Then you can access Cockpit by navigating to https://your-domain.com in your web browser.

  

---

Conclusion

• In this guide, we have shown you how to install Cockpit on your server and set it up behind a reverse proxy. Cockpit provides a user-friendly interface for managing your server, and using a reverse proxy allows you to access it securely over the internet.