Via Cà Matta 2 - Peschiera Borromeo (MI)
+39 02 00704272
info@synaptica.info

Apache reverse proxy for Cockpit KVM

Digital solution partner

Apache reverse proxy for Cockpit KVM

0

In this article, we will see how to configure a reverse proxy on Apache to access Cockpit via HTTPS, with support for WebSocket. This configuration is useful to improve security and accessibility when using Cockpit on an internal network.

Prerequisites

  • A server with Apache installed and configured to support HTTPS.
  • Cockpit installed on a server with an internal IP address (e.g., 192.168.1.100).
  • Valid SSL certificates for Apache.

Configuring Apache as a Reverse Proxy

Edit the Apache configuration file or create a new virtual host to configure the reverse proxy for Cockpit. The configuration is as follows:

;
ServerName example.domain.com

ProxyPreserveHost On

# SSL settings between the client and Apache
SSLEngine on
SSLProxyEngine On
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLCertificateFile /path/to/certificates/cert.crt
SSLCertificateKeyFile /path/to/certificates/key.key
SSLCertificateChainFile /path/to/certificates/chain.crt
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite HIGH:!aNULL:!MD5
Header always unset X-Frame-Options

# Configure the Proxy to Cockpit using HTTP and WebSocket
ProxyPass / https://192.168.1.100:9090/ upgrade=websocket
ProxyPassReverse / https://192.168.1.100:9090/
ProxyPass /ws/ wss://192.168.1.100:9090/ws/
ProxyPassReverse /ws/ wss://192.168.1.100:9090/ws/

# Forward headers for HTTPS
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Host "example.domain.com"
RequestHeader set X-Forwarded-SSL "on"

# Response compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript


SetOutputFilter INFLATE;DEFLATE
Order deny,allow
Allow from all

Configuration Explanation

  • ProxyPreserveHost On: preserves the original host name.
  • SSLEngine on and SSLProxyEngine On: enable SSL support for connections between Apache and the client, and between Apache and Cockpit.
  • SSLProtocol and SSLCipherSuite: restrict protocols and cipher suites to enhance security.
  • ProxyPass and ProxyPassReverse manage WebSocket and HTTPS connections between Apache and Cockpit.
  • Support for X-Forwarded headers to inform Cockpit that the connection is via HTTPS.

Restarting Apache

Once the configuration is complete, restart Apache to apply the changes:

sudo systemctl restart apache2

Conclusion

This configuration allows secure access to Cockpit through an Apache reverse proxy. Be sure to verify the configuration and check the logs to troubleshoot any TLS handshake or WebSocket connection issues.

Categorie

Synaptica srl
P.IVA 05830520960

Sede legale Via Carducci 41/C 20098 San Giuliano Milanese (MI) - Capitale sociale € 20.000

© 2025