1COCKPIT.CONF(5) cockpit.conf COCKPIT.CONF(5)
2
6 cockpit.conf - Cockpit configuration file
7
9 Cockpit can be configured via /etc/cockpit/cockpit.conf. This file is
10 not required and may need to be created manually. The file has a INI
11 file syntax and thus contains key / value pairs, grouped into topical
12 groups. See the examples below for details..
13 Note: The port that cockpit listens on cannot be changed in this file.
15 To change the port change the systemd cockpit.socket file.
16
18 Origins
19 By default cockpit will not accept crossdomain websocket
20 connections. Use this setting to allow access from alternate
21 domains. Origins should include scheme, host and port, if
22 necessary.
23 [WebService]
25 Origins = https://somedomain1.com https://somedomain2.com:9090
26 ProtocolHeader
28 Configure cockpit to look at the contents of this header to
29 determine if a connection is using tls. This should only be used
30 when cockpit is behind a reverse proxy, and care should be taken to
31 make sure that incoming requests cannot set this header.
32 [WebService]
34 ProtocolHeader = X-Forwarded-Proto
35 LoginTitle
37 Set the browser title for the login screen.
38 LoginTo
40 When set to true the Connect to option on the login screen is
41 visible and allows logging into another server. If this option is
42 not specified then it will be automatically detected based on
43 whether the cockpit-ssh process is available or not.
44 RequireHost
46 When set to true cockpit will require users to use the Connect to
47 option to specify the host to log into.
48 MaxStartups
50 Same as the sshd configuration option by the same name. Specifies
51 the maximum number of concurrent login attempts allowed. Additional
52 connections will be dropped until authentication succeeds or the
53 connections are closed. Defaults to 10.
54 Alternatively, random early drop can be enabled by specifying the
56 three colon separated values start:rate:full (e.g. "10:30:60").
57 Cockpit will start refusing authentication attempts with a
58 probability of rate/100 (30%) if there are currently start (10)
59 unauthenticated connections. The probability increases linearly and
60 all connection attempts are refused if the number of
61 unauthenticated connections reaches full (60).
62 AllowUnencrypted
64 If true, cockpit will accept unencrypted HTTP connections.
65 Otherwise, it redirects all HTTP connections to HTTPS. Exceptions
66 are connections from localhost and for certain URLs (like /ping).
67 Defaults to false.
68 UrlRoot
70 The root URL where you will be serving cockpit. When provided
71 cockpit will expect all requests to be prefixed with the given url.
72 This is mostly useful when you are using cockpit behind a reverse
73 proxy, such as nginx. /cockpit/ and /cockpit+ are reserved and
74 should not be used. For example /cockpit-new/ is ok. /cockpit/ and
75 /cockpit+new/ are not.
76 ClientCertAuthentication
78 If true, enable TLS client certificates for authenticating users.
79 Commonly these are provided by a smart card, but it's equally
80 possible to import certificates directly into the web browser.
81 Please see the Certificate/smart card authentication[1] section in
82 the Cockpit guide for details.
83 Shell
85 The relative URL to top level component to display in Cockpit once
86 logged in. Defaults to /shell/index.html
87
89 Fatal
90 The kind of log messages in the bridge to treat as fatal. Separate
91 multiple values with spaces. Relevant values are: criticals and
92 warnings.
93
95 Cockpit can be configured to support the implicit grant[2] OAuth
96 authorization flow. When successful the resulting oauth token will be
97 passed to cockpit-ws using the Bearer auth-scheme. For a login to be
98 successful, cockpit will also need a to be configured to verify and
99 allow Bearer tokens.
100 URL
102 This is the url that cockpit will redirect the users browser to
103 when it needs to obtain an oauth token. Cockpit will add a
104 redirect_uri parameter to the url with the location of where the
105 oauth provider should redirect to once a token has been obtained.
106 ErrorParam
108 When a oauth provider redirects a user back to cockpit, look for
109 this parameter in the querystring or fragment portion of the url to
110 find a error message. When not provided it will default to
111 error_description
112 TokenParam
114 When a oauth provider redirects a user back to cockpit, look for
115 this parameter in the querystring or fragment portion of the url to
116 find the access token. When not provided it will default to
117 access_token
118
120 Banner
121 The contents of the specified file (commonly /etc/issue) are shown
122 on the login page. By default, no banner is displayed.
123 IdleTimeout
125 Time in minutes after which session expires and user is logged out
126 if no user action has been performed in the given time. This idle
127 timeout only applies to interactive password logins. With
128 non-interactive authentication methods like Kerberos, OAuth, or
129 certificate login, the browser cannot forget credentials, and thus
130 automatic logouts are not useful for protecting credentials of
131 forgotten sessions. Set to 0 to disable session timeout.
132 [Session]
134 IdleTimeout=15
135 When not specified, there is no idle timeout by default.
136
138 Please send bug reports to either the distribution bug tracker or the
139 upstream bug tracker[3].
140
142 Cockpit has been written by many contributors[4].
143
145 cockpit-ws(8), cockpit-tls(8)
146
148 1. Certificate/smart card authentication
149 https://cockpit-project.org/guide/latest/cert-authentication.html
150 2. implicit grant
152 https://tools.ietf.org/html/rfc6749#section-4.2
153 3. upstream bug tracker
155 https://github.com/cockpit-project/cockpit/issues/new
156 4. contributors
158 https://github.com/cockpit-project/cockpit/
159cockpit 03/31/2021 COCKPIT.CONF(5)