Featured, Linux

How to install Cockpit on CentOS 7 / CentOS 9 Stream and configure Nginx reserve proxy

How to install Cockpit on CentOS 7 / CentOS 9

From cockpit-project.org, Cockpit is a web-based graphical interface for servers, intended for everyone, especially those who are:

  • new to Linux (including Windows admins)
  • familiar with Linux and want an easy, graphical way to administer servers
  • expert admins who mainly use other tools but want an overview on individual systems

Thanks to Cockpit intentionally using system APIs and commands, a whole team of admins can manage a system in the way they prefer, including the command line and utilities right alongside Cockpit.

Why Cockpit?

  • It’s Simple to use, Cockpit makes Linux discoverable.
  • Compatible with your existing workflows, Cockpit uses the same system tooling you would use from the command line.
  • Integrated, Cockpit uses APIs that already exist on the system
  • Extendable, Cockpit also supports a large list of optional and third-party applications.

You can check more about Cockpit on their website on https://cockpit-project.org/

How To Install Cockpit

yum install cockpit -y
#Additional package
yum install cockpit-packagekit
yum install cockpit-storaged
yum install https://github.com/45Drives/cockpit-navigator/releases/download/v0.5.10/cockpit-navigator-0.5.10-1.el7.noarch.rpm

Then enable cockpit on start up and start cockpit with command:

systemctl enable cockpit.socket
systemctl start cockpit

Cockpit listen on Port 9090. You can open browser and go to https://server_ip:9090.

If you want Cockpit available from network, you need to open IP Tables or Firewalld.

firewall-cmd --add-service=cockpit
firewall-cmd --add-service=cockpit --permanent
firewall-cmd --reload

But, it is not secure. There are many brute force bot will attack your server. Better we run with nginx.

Cockpit Control Panel

How to configure Nginx as reserve proxy for Cockpit socket

Create upstream block on Nginx

upstream cockpit {
    server 127.0.0.1:9090;
    keepalive 32;
}
Then on Server block, you can use code below:
server {
	listen   SERVER_IP:443 ssl;
	http2 on;
	server_name cockpit.serverdiary.com;
	
	root   /var/www/html/cockpit.serverdiary.com;
	index  index.php index.html index.htm;

	ssl_certificate    		/etc/letsencrypt/live/cockpit.serverdiary.com/fullchain.pem;
	ssl_certificate_key		/etc/letsencrypt/live/cockpit.serverdiary.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/cockpit.serverdiary.com/fullchain.pem;
	
	ssl_session_tickets on;
	ssl_session_timeout 24h;
	ssl_session_cache shared:SSL:30m;
	ssl_early_data on;
	ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
	ssl_ecdh_curve X25519:P-256:P-384;
	ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

	access_log /var/log/nginx/cockpit.serverdiary.com.access.log combined buffer=512k flush=1m;
	error_log /var/log/nginx/cockpit.serverdiary.com.error.log;
	
	location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://cockpit;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }
}

Now it’s more secure. That’s it.

ServerDiary

ServerDiary

Related Posts

One thought on “How to install Cockpit on CentOS 7 / CentOS 9 Stream and configure Nginx reserve proxy

  1. Pingback: How to secure cockpit login with Google Two Facto Authenticator 2FA - SERVERDIARY

Leave a Reply

Your email address will not be published. Required fields are marked *