Advice on configuring Cockpit to work reliably over the Cloudflare Zero Trust (Access) network.

The problem

The trivial setup, where the cockpit is installed in its default configuration, is listening on an HTTPS port, while cloudflared talks to it over SSL with relaxed SSL validation requirements results in unstable, flaky performance, where it sort of works, but pages time out, don’t load, and generally behave in a quite annoying way.

The solution

The better way to configure it is to use HTTP between the cloudflared daemon and the cockpit, and tell the latter to expect connections from the reverse proxy.


On the Cloudflare side, set up the desired public hostname, e.g. with the http service to localhost:9090. No other configuration is required there.


On the host running the cockpit, create the cockpit.conf file if it does not exist and add the following configuration:

Origins =
ProtocolHeader = X-Forwarded-Proto
AllowUnencrypted = true

This instructs the cockpit to:

  • accept connections from the specified domains
  • let it distinguish if the connection is using TLS by the header
  • allow HTTP connections. This turns off redirects to HTTPS.

Restart the service and test the connection. It will be stable now.