Filtri Menu 0 0.00

Apache reverse proxy for Cockpit KVM

30/12/1899
Apache reverse proxy for Cockpit KVM

In this article, we will see how to configure a reverse proxy on Apache to access Cockpit via HTTPS, with support for WebSocket. This configuration is useful to improve security and accessibility when using Cockpit on an internal network.

Prerequisites

  • A server with Apache installed and configured to support HTTPS.
  • Cockpit installed on a server with an internal IP address (e.g., 192.168.1.100).
  • Valid SSL certificates for Apache.

Configuring Apache as a Reverse Proxy

Edit the Apache configuration file or create a new virtual host to configure the reverse proxy for Cockpit. The configuration is as follows:

;
ServerName example.domain.com

ProxyPreserveHost On

# SSL settings between the client and Apache
SSLEngine on
SSLProxyEngine On
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLCertificateFile /path/to/certificates/cert.crt
SSLCertificateKeyFile /path/to/certificates/key.key
SSLCertificateChainFile /path/to/certificates/chain.crt
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
SSLCipherSuite HIGH:!aNULL:!MD5
Header always unset X-Frame-Options

# Configure the Proxy to Cockpit using HTTP and WebSocket
ProxyPass / https://192.168.1.100:9090/ upgrade=websocket
ProxyPassReverse / https://192.168.1.100:9090/
ProxyPass /ws/ wss://192.168.1.100:9090/ws/
ProxyPassReverse /ws/ wss://192.168.1.100:9090/ws/

# Forward headers for HTTPS
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Host "example.domain.com"
RequestHeader set X-Forwarded-SSL "on"

# Response compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript


SetOutputFilter INFLATE;DEFLATE
Order deny,allow
Allow from all

Configuration Explanation

  • ProxyPreserveHost On: preserves the original host name.
  • SSLEngine on and SSLProxyEngine On: enable SSL support for connections between Apache and the client, and between Apache and Cockpit.
  • SSLProtocol and SSLCipherSuite: restrict protocols and cipher suites to enhance security.
  • ProxyPass and ProxyPassReverse manage WebSocket and HTTPS connections between Apache and Cockpit.
  • Support for X-Forwarded headers to inform Cockpit that the connection is via HTTPS.

Restarting Apache

Once the configuration is complete, restart Apache to apply the changes:

sudo systemctl restart apache2

Conclusion

This configuration allows secure access to Cockpit through an Apache reverse proxy. Be sure to verify the configuration and check the logs to troubleshoot any TLS handshake or WebSocket connection issues.

Share:

Subscribe to newsletter

Subscribe to our newsletter to receive early discount offers, updates and new products info.
Top