Apache reverse proxy for Cockpit KVM
In this article, we will see how to configure a reverse proxy on Apache to access Cockpit via HTTPS, with support for WebSocket. This configuration is useful to improve security and accessibility when using Cockpit on an internal network.
Prerequisites
- A server with Apache installed and configured to support HTTPS.
- Cockpit installed on a server with an internal IP address (e.g.,
192.168.1.100
). - Valid SSL certificates for Apache.
Configuring Apache as a Reverse Proxy
Edit the Apache configuration file or create a new virtual host to configure the reverse proxy for Cockpit. The configuration is as follows:
;
ServerName example.domain.com
ProxyPreserveHost On
# SSL settings between the client and Apache
SSLEngine on
SSLProxyEngine On
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLCertificateFile /path/to/certificates/cert.crt
SSLCertificateKeyFile /path/to/certificates/key.key
SSLCertificateChainFile /path/to/certificates/chain.crt
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite HIGH:!aNULL:!MD5
Header always unset X-Frame-Options
# Configure the Proxy to Cockpit using HTTP and WebSocket
ProxyPass / https://192.168.1.100:9090/ upgrade=websocket
ProxyPassReverse / https://192.168.1.100:9090/
ProxyPass /ws/ wss://192.168.1.100:9090/ws/
ProxyPassReverse /ws/ wss://192.168.1.100:9090/ws/
# Forward headers for HTTPS
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Host "example.domain.com"
RequestHeader set X-Forwarded-SSL "on"
# Response compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript
SetOutputFilter INFLATE;DEFLATE
Order deny,allow
Allow from all
Configuration Explanation
ProxyPreserveHost On
: preserves the original host name.SSLEngine on
andSSLProxyEngine On
: enable SSL support for connections between Apache and the client, and between Apache and Cockpit.SSLProtocol
andSSLCipherSuite
: restrict protocols and cipher suites to enhance security.ProxyPass
andProxyPassReverse
manage WebSocket and HTTPS connections between Apache and Cockpit.- Support for
X-Forwarded
headers to inform Cockpit that the connection is via HTTPS.
Restarting Apache
Once the configuration is complete, restart Apache to apply the changes:
sudo systemctl restart apache2
Conclusion
This configuration allows secure access to Cockpit through an Apache reverse proxy. Be sure to verify the configuration and check the logs to troubleshoot any TLS handshake or WebSocket connection issues.