Has anyone been able to make access work to Neth Server Cockpit behind a Nginx reverse proxy?
There is no issue with making the old Neth control panel accessible.
I have the reverse proxy setup with Web socks forwarding but there is still issue with Neth Server Content Security Policy with blocking content from loading correctly. I have been trying different proxy rewrites but so far still have not been able to load pages fully.
Do not know much about the Nginx reverse proxy,
however found this write up at the cockpit project:
PLEASE NOTE /etc/cockpit/cockpit.conf is a templated configuration file! Changes to it will be overwritten by updates / setting-changes of/to cockpit.
(You can make temporary changes to figure-out a working setup and create a custom template afterwards .)
It looks like a good lead. Thanks Mark
RE (You can make temporary changes to figure-out a working setup and create a custom template afterwards .)
It looks like I need to restart Cockpit (which means a server restart I believe as there is no cockpit service) to allow template to load the change to the /etc/cockpit/cockpit.conf file.
So I looked at making a custom template, I created a file /etc/e-smith/templates-custom/etc/cockpit/cockpit.conf/60negotiate to match the template found at /etc/e-smith/templates/etc/cockpit/cockpit.conf/60negotiate but I must be missing something in the template system as the I had no luck. Still same template after restart.
If I get some time in the next few days I will check the developerâs manual.
The temporary change should âsurviveâ a restart or reboot. 
If you have an working setup by simply editing cockpit.conf , post your (anonymized) cockpit.conf here we try to figure out a custom template fitting your needs.
try:
expand-template /etc/cockpit/cockpit.conf
If you want to try, there is a cockpit.socket service.
Thank you that made testing easier. Temp changes in /etc/cockpit/cockpit.conf stayed after restart of service.
I just hope cockpit took the change with a service restart so I did not have a false negative test.
Hi Mark,
OK with the extra help received here from yourself and Marc I manage to run a test with the Cockpit project link you suggested. Thank you.
It did not work and reports Content Security Policy issues still.
-------Content of nginx template file (.stpl file) below ---------------
server {
listen %ip%:%proxy_ssl_port% ssl http2;
server_name %domain_idn% %alias_idn%;
ssl_certificate %ssl_pem%;
ssl_certificate_key %ssl_key%;
ssl_stapling on;
ssl_stapling_verify on;
error_log /var/log/%web_system%/domains/%domain%.error.log error;
include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;
location / {
# Required to proxy the connection to Cockpit
proxy_pass https://192.168.0.250:9090/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
# Required for web sockets to function
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Pass ETag header from Cockpit to clients.
# See: https://github.com/cockpit-project/cockpit/issues/5239
gzip off;
location ~* ^.+\.(%proxy_extentions%)$ {
root %sdocroot%;
access_log /var/log/%web_system%/domains/%domain%.log combined;
access_log /var/log/%web_system%/domains/%domain%.bytes bytes;
expires max;
try_files $uri @fallback;
}
}
location /error/ {
alias %home%/%user%/web/%domain%/document_errors/;
}
location @fallback {
proxy_pass https://%ip%:%web_ssl_port%;
}
location ~ /\.ht {return 404;}
location ~ /\.svn/ {return 404;}
location ~ /\.git/ {return 404;}
location ~ /\.hg/ {return 404;}
location ~ /\.bzr/ {return 404;}
include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}
------------ Finish ----------
------------- Temp changes to /etc/cockpit/cockpit.conf below ----------------
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
#
#
# 60negotiate - add negotiate section to surpress prompt in some browsers
#
[negotiate]
action = none
[WebService]
Origins = https://my-nethserver-web-address wss://my-nethserver-web-address
ProtocolHeader = X-Forwarded-Proto
--------------- Finish ------------------------
------- Below error received in web browser after cockpit (Neth Server) -------------
Refused to frame âhttps://my-nethserver-web-address:9090/â because it violates the following Content Security Policy directive: âdefault-src âselfâ https://my-nethserver-web-addressâ. Note that âframe-srcâ was not explicitly set, so âdefault-srcâ is used as a fallback.
--------------- Finish ------------------------
After login to Cockpit the page shows the left nav bar of Cockpit only.
Unless you have any other suggestions I will work on a Nginx proxy_pass_header content-security-policy to see if I can clear the issues.
I will post if I find an answer.
Thanks
If host-source (domain name) is specified in the policy and no port number is specified, only standard ports will be allowed (80 for http: and 443 for https:).
Therefore you need use * to indicate any port number:
default-src âselfâ https://my-nethserver-web-address:*
Thanks Yury, I did not think that I would need :* because I was using a standard port from external.
I gave it a try to make sure and the error âŚ
------- Below error received in web browser after cockpit (Neth Server) -------------
Refused to frame âhttps://my-nethserver-web-address:9090/â because it violates the following Content Security Policy directive: âdefault-src âselfâ https://my-nethserver-web-addressâ. Note that âframe-srcâ was not explicitly set, so âdefault-srcâ is used as a fallback.
--------------- Finish ------------------------
was gone. Yay and thank you
I am still looking to clear two faults -
I still have errors on page loading -
I have also found by adding the required cockpit code -
[WebService]
Origins = https://my-nethserver-web-address wss://my-nethserver-web-address
ProtocolHeader = X-Forwarded-Proto
to the cockpit.conf file it stops local access (https://192.168.0.250:9090) to NethServer Cockpit.
Itâs not my profile because not related Content Security Policy. But https://192.168.0.250:9090 looks wrong because you can not assign SSL cert to an IP address. At least it should be http://192.168.0.250:9090 (with http: scheme).
Commonly, origins means the same Scheme / HostName / PortNumber. I do not know how the nethserver use Origins setting, but http://192.168.0.250:9090 does not comply the https://my-nethserver-web-address.
May be you need to add the http://192.168.0.250:9090 source to Origins setup.
