Connect letsencrypt container to proxy native (non-docker) cockpit

letsencrypt

#1

Hopefully this is quick and easy. I’m running a server with cockpit installed natively (using apt), so NOT running in a container. I’m also running a letsencrypt container to proxy requests to multiple other containers. Cockpit exposes a web interface on the host server on port 9090, so I figured it would be pretty simple to copy-paste one of the other proxy-pass configs. Unfortunately its not working I was hoping somebody here better w/ nginx configs could help.

Here is my custom cockpit proxy config:
# make sure that your dns has a cname set for cockpit and that your cockpit container is not using a base url

server {
    listen 443 ssl;

    server_name cockpit.*;

    # hide site from search engines
    add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # allow local addresses without http auth
        satisfy any;

        allow 192.168.1.0/24;
        allow 127.0.0.1;
        deny  all;

        # enable the next two lines for http auth
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_cockpit cockpit;
        proxy_pass http://192.168.1.200:9090;
    }
}

To be clear, all of my other services are working (sonarr, radarr, etc.). I copied this from the deluge.subdomain.conf file that is working (and just changed deluge -> cockpit, and change port to 9090). My general config seems to be fine, its just this one proxy that isn’t working.

When I go to https://cockpit.my.domain.org in chrome I get a “This page isn’t working cockpit.my.domain.org redirected you too many times.” error.

Any help is appreciated!


#2

Redirected too many times may suggest that cockpit is doing a redirect that causes a redirect, ie. a loop.

I never used cockpit so I don’t know but see if there are any redirect options like http->https or to another address or something and turn them off.

Also try getting rid of the allow/deny and the htpasswd to start. Once you get it working, you can add those one by one. You now have too many variables that could be causing issues. Better to diagnose via one variable at a time


#3

I found this: https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-NGINX

I replicated that config here:

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

upstream websocket {
    server 127.0.0.1:9090;
}

server {
    listen 443 ssl;

    server_name cockpit.*;

    # hide site from search engines
    add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_cockpit cockpit;
        proxy_pass http://127.0.0.1:9090;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection connection_upgrade;
        # change scheme of "Origin" to http
        proxy_set_header Origin http://$host;

        # Pass ETag header from cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }

    access_log /cockpit-access.log;
    error_log /cockpit-error.log;
}

Now I’m getting connection refused instead of too many redirects. Could this have something to do with websockets?

I’ve also tried host and bridge networking and neither worked. Maybe I just can’t proxy cockpit through nginx?


#4

127.0.0.1 won’t work with docker containers unless they are both in host networking, which is not recommended. You need to use the host server ip instead