Skip to main content

Secure Cockpit

Cockpit is "a web-based graphical interface for servers, intended for everyone". It provides a method of managing many administrative server tasks that would normally require command line access.

Before You Begin

This guide assumes you already have Pomerium installed and connected to your IdP. If not, follow the instructions in the following articles before continuing:

Install & Configure Cockpit

  1. Cockpit provides detailed instructions on installation for many popular Linux distributions. See Running Cockpit to find the steps to match your server.

  2. Once installed, create or edit /etc/cockpit/cockpit.conf to prepare it to accept proxied connections:

    [WebService]
    Origins = https://cockpit.localhost.pomerium.io wss://cockpit.localhost.pomerium.io
    ProtocolHeader = X-Forwarded-Proto
    • Adjust cockpit.localhost.pomerium.io to match the URL Cockpit will be accessible from.
  3. Restart the Cockpit service to apply the changes:

    sudo systemctl restart cockpit.service

Pomerium Route

  1. A Pomerium route for Cockpit can follow the basic route examples, but requires websockets to load the dashboard after initial login:

    - from: https://cockpit.localhost.pomerium.io
    to: http://localhost:9090
    allow_websockets: true
    policy:
    - allow:
    or:
    - email:
    is: alice@example.com
    - email:
    is: bob@example.com
    • This example assumes that Pomerium is running as a system service on the same server as Cockpit. Adust the to value to match the path to the Cockpit service if running on another server.
    • Adjust cockpit.localhost.pomerium.io to match the URL Cockpit will be accessible from.
  2. If Pomerium is running as a system service the route will be updated automatically. Docker may not notify Pomerium of file changes, so the Pomerium container may need to be restarted.

  3. Navigate to the new route to confirm access:

    The Cockpit Login Screen

Authentication

Cockpit uses PAM authentication by default. The project documentation includes a Single Sign On page that covers authentication to the software using Kerberos. As of this page's last update, there's no known way to provide user authentication from Pomerium using JWT or HTTP Headers.

tip

Prove Us Wrong! Have you configured Cockpit to accept authentication from Pomerium? Let us know on GitHub, or post in the Community Showcase on our forums.