Cockpit over Cloudflare Zero Trust

Advice on configuring Cockpit to work reliably over the Cloudflare Zero Trust (Access) network.

The problem

The trivial setup, where the cockpit is installed in its default configuration, is listening on an HTTPS port, while cloudflared talks to it over SSL with relaxed SSL validation requirements results in unstable, flaky performance, where it sort of works, but pages time out, don’t load, and generally behave in a quite annoying way.

The solution

The better way to configure it is to use HTTP between the cloudflared daemon and the cockpit, and tell the latter to expect connections from the reverse proxy.

Cloudflare

On the Cloudflare side, set up the desired public hostname, e.g. https://cockpit.arrogantrabbit.com with the http service to localhost:9090. No other configuration is required there.

Cockpit

On the host running the cockpit, create the cockpit.conf file if it does not exist and add the following configuration:

[WebService]
Origins = https://cockpit.arrogantrabbit.com
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true

This instructs the cockpit to:

accept connections from the specified domains
let it distinguish if the connection is using TLS by the header
allow HTTP connections. This turns off redirects to HTTPS.

Restart the service and test the connection. It will be stable now.

The problem

The solution

Cloudflare

Cockpit

Click here to load legacy comments from Disqus