Cockpit over Cloudflare Zero Trust
Advice on configuring Cockpit to work reliably over the Cloudflare Zero Trust (Access) network.
The problem
The trivial setup, where the cockpit is installed in its default configuration, is listening on an HTTPS port, while cloudflared
talks to it over SSL with relaxed SSL validation requirements results in unstable, flaky performance, where it sort of works, but pages time out, don’t load, and generally behave in a quite annoying way.
The solution
The better way to configure it is to use HTTP between the cloudflared
daemon and the cockpit, and tell the latter to expect connections from the reverse proxy.
Cloudflare
On the Cloudflare side, set up the desired public hostname, e.g. https://cockpit.arrogantrabbit.com
with the http
service to localhost:9090
. No other configuration is required there.
Cockpit
On the host running the cockpit, create the cockpit.conf file if it does not exist and add the following configuration:
[WebService]
Origins = https://cockpit.arrogantrabbit.com
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true
This instructs the cockpit to:
- accept connections from the specified domains
- let it distinguish if the connection is using TLS by the header
- allow HTTP connections. This turns off redirects to HTTPS.
Restart the service and test the connection. It will be stable now.