Proxying Cockpit over NGINX

Cockpit works on a web socket combined with http/https interface, Web Socket is used to deliver active content back and forth between client and server. But when a proxy sits in between, it needs to be configured likely.

To configure Cockpit proxy over NGINX, create a server virtual block, here is a reference guide. and add the following lines to it. This config would deliver specific set of work environments do read the description to change config to your custom needs.

` map $http_upgrade $connection_upgrade { default upgrade; '' close; }

upstream websocket { server 127.0.0.1:9090; }

server { listen 80; server_name cockpit.domain.tld www.cockpit.domain.tld; return 301 https://$server_name$request_uri; }

server { listen 443; server_name www.cockpit.domain.tld cockpit.domain.tld;

    ssl on;
    ssl_certificate /path/to/certificate;
    ssl_certificate_key /path/to/key;

location / {
    proxy_pass http://127.0.0.1:9090;
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
    # needed for websocket
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    # change scheme of "Origin" to http
    proxy_set_header Origin http://$host;
}

} `

By default Cockpit uses http protocol to connect to localhost, Since our proxy would likely reside on localhost we would redirect all http client requests to https return 301 https://$server_name$request_uri;

By default cockpit generates a ssl certificate which is stored at /etc/cockpit/ws-certs.d/ In our case we would used NGINX to do all the TLS encryption work. Edit these lines with your own ssl server and client keys. ssl_certificate /path/to/certificate; ssl_certificate_key /path/to/key; Here is How to generate our self signed SSL

This would enable us to redirect to Cockpit via this proxy host.