1COCKPIT.CONF(5) cockpit.conf COCKPIT.CONF(5)
2
6 cockpit.conf - Cockpit configuration file
7
9 Cockpit can be configured via /etc/cockpit/cockpit.conf. That file has
10 a INI file syntax and thus contains key / value pairs, grouped into
11 topical groups. See the examples below for details..
12 Note: The port that cockpit listens on cannot be changed in this file.
14 To change the port change the systemd cockpit.socket file.
15
17 Origins
18 By default cockpit will not accept crossdomain websocket
19 connections. Use this setting to allow access from alternate
20 domains. Origins should include scheme, host and port, if
21 necessary.
22 [WebService]
24 Origins = https://somedomain1.com https://somedomain2.com:9090
25 ProtocolHeader
27 Configure cockpit to look at the contents of this header to
28 determine if a connection is using tls. This should only be used
29 when cockpit is behind a reverse proxy, and care should be taken to
30 make sure that incoming requests cannot set this header.
31 [WebService]
33 ProtocolHeader = X-Forwarded-Proto
34 LoginTitle
36 Set the browser title for the login screen.
37 LoginTo
39 When set to true the Connect to option on the login screen is
40 visible and allows logging into another server. If this option is
41 not specified then it will be automatically detected based on
42 whether the cockpit-ssh process is available or not.
43 RequireHost
45 When set to true cockpit will require users to use the Connect to
46 option to specify the host to log into.
47 MaxStartups
49 Same as the sshd configuration option by the same name. Specifies
50 the maximum number of concurrent login attempts allowed. Additional
51 connections will be dropped until authentication succeeds or the
52 connections are closed. Defaults to 10.
53 Alternatively, random early drop can be enabled by specifying the
55 three colon separated values start:rate:full (e.g. "10:30:60").
56 Cockpit will start refusing authentication attempts with a
57 probability of rate/100 (30%) if there are currently start (10)
58 unauthenticated connections. The probability increases linearly and
59 all connection attempts are refused if the number of
60 unauthenticated connections reaches full (60).
61 AllowUnencrypted
63 If true, cockpit will accept unencrypted HTTP connections.
64 Otherwise, it redirects all HTTP connections to HTTPS. Exceptions
65 are connections from localhost and for certain URLs (like /ping).
66 Defaults to false.
67 UrlRoot
69 The root URL where you will be serving cockpit. When provided
70 cockpit will expect all requests to be prefixed with the given url.
71 This is mostly useful when you are using cockpit behind a reverse
72 proxy, such as nginx. /cockpit/ and /cockpit+ are reserved and
73 should not be used. For example /cockpit-new/ is ok. /cockpit/ and
74 /cockpit+new/ are not.
75 ClientCertAuthentication
77 If true, enable TLS client certificates for authenticating users.
78 Commonly these are provided by a smart card, but it's equally
79 possible to import certificates directly into the web browser.
80 Please see the Certificate/smart card authentication[1] section in
81 the Cockpit guide for details.
82
84 Fatal
85 The kind of log messages in the bridge to treat as fatal. Separate
86 multiple values with spaces. Relevant values are: criticals and
87 warnings.
88
90 Cockpit can be configured to support the implicit grant[2] OAuth
91 authorization flow. When successful the resulting oauth token will be
92 passed to cockpit-ws using the Bearer auth-scheme. For a login to be
93 successful, cockpit will also need a to be configured to verify and
94 allow Bearer tokens.
95 URL
97 This is the url that cockpit will redirect the users browser to
98 when it needs to obtain an oauth token. Cockpit will add a
99 redirect_uri parameter to the url with the location of where the
100 oauth provider should redirect to once a token has been obtained.
101 ErrorParam
103 When a oauth provider redirects a user back to cockpit, look for
104 this parameter in the querystring or fragment portion of the url to
105 find a error message. When not provided it will default to
106 error_description
107 TokenParam
109 When a oauth provider redirects a user back to cockpit, look for
110 this parameter in the querystring or fragment portion of the url to
111 find the access token. When not provided it will default to
112 access_token
113
115 Banner
116 The contents of the specified file (commonly /etc/issue) are shown
117 on the login page. By default, no banner is displayed.
118 IdleTimeout
120 Time in minutes after which session expires and user is logged out
121 if no user action has been performed in the given time. This idle
122 timeout only applies to interactive password logins. With
123 non-interactive authentication methods like Kerberos, OAuth, or
124 certificate login, the browser cannot forget credentials, and thus
125 automatic logouts are not useful for protecting credentials of
126 forgotten sessions. Set to 0 to disable session timeout.
127 [Session]
129 IdleTimeout=0
130 When not specified, the default is 15 minutes.
131
133 Please send bug reports to either the distribution bug tracker or the
134 upstream bug tracker[3].
135
137 Cockpit has been written by many contributors[4].
138
140 cockpit-ws(8), cockpit-tls(8)
141
143 1. Certificate/smart card authentication
144 https://cockpit-project.org/guide/latest/cert-authentication.html
145 2. implicit grant
147 https://tools.ietf.org/html/rfc6749#section-4.2
148 3. upstream bug tracker
150 https://github.com/cockpit-project/cockpit/issues/new
151 4. contributors
153 https://github.com/cockpit-project/cockpit/
154cockpit 04/15/2020 COCKPIT.CONF(5)