Apache reverse proxy for Cockpit KVM

by Ivan Revelli
in KVM, Posts, Sistemi Operativi
on October 4, 2024

In this article, we will see how to configure a reverse proxy on Apache to access Cockpit via HTTPS, with support for WebSocket. This configuration is useful to improve security and accessibility when using Cockpit on an internal network.

Prerequisites

A server with Apache installed and configured to support HTTPS.
Cockpit installed on a server with an internal IP address (e.g., 192.168.1.100).
Valid SSL certificates for Apache.

Configuring Apache as a Reverse Proxy

Edit the Apache configuration file or create a new virtual host to configure the reverse proxy for Cockpit. The configuration is as follows:

<VirtualHost *:443>;
ServerName example.domain.com

ProxyPreserveHost On

# SSL settings between the client and Apache
SSLEngine on
SSLProxyEngine On
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLCertificateFile /path/to/certificates/cert.crt
SSLCertificateKeyFile /path/to/certificates/key.key
SSLCertificateChainFile /path/to/certificates/chain.crt
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite HIGH:!aNULL:!MD5
Header always unset X-Frame-Options

# Configure the Proxy to Cockpit using HTTP and WebSocket
ProxyPass / https://192.168.1.100:9090/ upgrade=websocket
ProxyPassReverse / https://192.168.1.100:9090/
ProxyPass /ws/ wss://192.168.1.100:9090/ws/
ProxyPassReverse /ws/ wss://192.168.1.100:9090/ws/

# Forward headers for HTTPS
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Host "example.domain.com"
RequestHeader set X-Forwarded-SSL "on"

# Response compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript

<Location>
SetOutputFilter INFLATE;DEFLATE
Order deny,allow
Allow from all
</Location>
</VirtualHost>

<VirtualHost *:443>;

ServerName example.domain.com

ProxyPreserveHost On

# SSL settings between the client and Apache

SSLEngine on

SSLProxyEngine On

SSLProxyCheckPeerName off

SSLProxyCheckPeerExpire off

SSLProxyVerify none

SSLProxyCheckPeerCN off

SSLCertificateFile /path/to/certificates/cert.crt

SSLCertificateKeyFile /path/to/certificates/key.key

SSLCertificateChainFile /path/to/certificates/chain.crt

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

SSLHonorCipherOrder On

SSLCipherSuite HIGH:!aNULL:!MD5

Header always unset X-Frame-Options

# Configure the Proxy to Cockpit using HTTP and WebSocket

ProxyPass / https://192.168.1.100:9090/ upgrade=websocket

ProxyPassReverse / https://192.168.1.100:9090/

ProxyPass /ws/ wss://192.168.1.100:9090/ws/

ProxyPassReverse /ws/ wss://192.168.1.100:9090/ws/

# Forward headers for HTTPS

RequestHeader set X-Forwarded-Proto "https"

RequestHeader set X-Forwarded-Host "example.domain.com"

RequestHeader set X-Forwarded-SSL "on"

# Response compression

AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript

SetOutputFilter INFLATE;DEFLATE

Order deny,allow

Allow from all

</Location>

</VirtualHost>

Configuration Explanation

ProxyPreserveHost On: preserves the original host name.
SSLEngine on and SSLProxyEngine On: enable SSL support for connections between Apache and the client, and between Apache and Cockpit.
SSLProtocol and SSLCipherSuite: restrict protocols and cipher suites to enhance security.
ProxyPass and ProxyPassReverse manage WebSocket and HTTPS connections between Apache and Cockpit.
Support for X-Forwarded headers to inform Cockpit that the connection is via HTTPS.

Restarting Apache

Once the configuration is complete, restart Apache to apply the changes:

sudo systemctl restart apache2

1	sudo systemctl restart apache2

Conclusion

This configuration allows secure access to Cockpit through an Apache reverse proxy. Be sure to verify the configuration and check the logs to troubleshoot any TLS handshake or WebSocket connection issues.

Apache reverse proxy for Cockpit KVM