1COCKPIT-WS(8) cockpit-ws COCKPIT-WS(8)
2
6 cockpit-ws - Cockpit web service
7
9 cockpit-ws [--help] [--port PORT] [--address ADDRESS] [--no-tls]
10 [--for-tls-proxy] [--local-ssh] [--local-session BRIDGE]
11
13 The cockpit-ws program is the web service component used for
14 communication between the browser application and various configuration
15 tools and services like cockpit-bridge(1).
16 Users or administrators should never need to start this program as it
18 automatically started by systemd(1) on bootup, through cockpit-tls(8).
19
21 cockpit-ws is normally run behind the cockpit-tls TLS terminating
22 proxy, and only deals with unencrypted HTTP by itself. But for
23 backwards compatibility it can also handle TLS connections by itself
24 when being run directly. For details how to configure certificates,
25 please refer to the cockpit-tls(8) documentation.
26
28 When started via systemd(1) then cockpit-ws will exit after 90 seconds
29 if nobody logs in, or after the last user is disconnected.
30
32 --help
33 Show help options.
34 --port PORT
36 Serve HTTP requests PORT instead of port 9090. Usually Cockpit is
37 started on demand by systemd socket activation, and this option has
38 no effect. Update the ListenStream directive cockpit.socket file in
39 the usual systemd manner.
40 --address ADDRESS
42 Bind to address ADDRESS instead of binding to all available
43 addresses. Usually Cockpit is started on demand by systemd socket
44 activation, and this option has no effect. In that case, update the
45 ListenStream directive in the cockpit.socket file in the usual
46 systemd manner.
47 --no-tls
49 Don't use TLS.
50 --for-tls-proxy
52 Tell cockpit-ws that it is running behind a local reverse proxy
53 that does the TLS termination. Then Cockpit puts https:// URLs into
54 the default Content-Security-Policy, and accepts only https://
55 origins, instead of http: ones by default. However, if Origins is
56 set in the cockpit.conf(5) configuration file, it will override
57 this default.
58 --proxy-tls-redirect
60 Enable redirection of unencrypted http requests to https (TLS) in
61 --no-tls mode. Use this when running cockpit-ws behind a reverse
62 http proxy that also supports https, but does no redirection from
63 http to https by itself.
64 --local-ssh
66 Normally cockpit-ws uses cockpit-session and PAM to authenticate
67 the user and start a user session. With this option enabled, it
68 will instead authenticate via SSH at 127.0.0.1 port 22.
69 --local-session BRIDGE
71 Skip all authentication and cockpit-session, and launch the
72 cockpit-bridge specified in BRIDGE in the local session. If the
73 BRIDGE is specified as - then expect an already running bridge that
74 is connected to stdin and stdout of this cockpit-ws process. This
75 allows the web server to run as any unprivileged user in an already
76 running session.
77 This mode implies --no-tls, thus you need to use http:// URLs with
79 this.
80 Warning
82 If you use this, you have to isolate the opened TCP port
83 somehow (for example in a network namespace), otherwise all
84 other users (or even remote machines if the port is not just
85 listening on localhost) can access the session!
86
88 The cockpit-ws process will use the XDG_CONFIG_DIRS environment
89 variable from the XDG basedir spec[1] to find its cockpit.conf(5)
90 configuration file.
91 In addition the XDG_DATA_DIRS environment variable from the XDG basedir
93 spec[1] can be used to override the location to serve static files
94 from. These are the files that are served to a non-logged in user.
95
97 Please send bug reports to either the distribution bug tracker or the
98 upstream bug tracker[2].
99
101 Cockpit has been written by many contributors[3].
102
104 cockpit-tls(8) , cockpit.conf(5) , systemd(1)
105
107 1. XDG basedir spec
108 https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
109 2. upstream bug tracker
111 https://github.com/cockpit-project/cockpit/issues/new
112 3. contributors
114 https://github.com/cockpit-project/cockpit/
115cockpit 11/27/2019 COCKPIT-WS(8)