1COCKPIT.CONF(5)                  cockpit.conf                  COCKPIT.CONF(5)
2
3
4

NAME

6       cockpit.conf - Cockpit configuration file
7

DESCRIPTION

9       Cockpit can be configured via /etc/cockpit/cockpit.conf. This file is
10       not required and may need to be created manually. The file has a INI
11       file syntax and thus contains key / value pairs, grouped into topical
12       groups. See the examples below for details..
13
14       Note: The port that cockpit listens on cannot be changed in this file.
15       To change the port change the systemd cockpit.socket file.
16

WEBSERVICE

18       Origins
19           By default cockpit will not accept crossdomain websocket
20           connections. Use this setting to allow access from alternate
21           domains. Origins should include scheme, host and port, if
22           necessary.
23
24               [WebService]
25               Origins = https://somedomain1.com https://somedomain2.com:9090
26
27       ProtocolHeader
28           Configure cockpit to look at the contents of this header to
29           determine if a connection is using tls. This should only be used
30           when cockpit is behind a reverse proxy, and care should be taken to
31           make sure that incoming requests cannot set this header.
32
33               [WebService]
34               ProtocolHeader = X-Forwarded-Proto
35
36       LoginTitle
37           Set the browser title for the login screen.
38
39       LoginTo
40           When set to true the Connect to option on the login screen is
41           visible and allows logging into another server. If this option is
42           not specified then it will be automatically detected based on
43           whether the cockpit-ssh process is available or not.
44
45       RequireHost
46           When set to true cockpit will require users to use the Connect to
47           option to specify the host to log into.
48
49       MaxStartups
50           Same as the sshd configuration option by the same name. Specifies
51           the maximum number of concurrent login attempts allowed. Additional
52           connections will be dropped until authentication succeeds or the
53           connections are closed. Defaults to 10.
54
55           Alternatively, random early drop can be enabled by specifying the
56           three colon separated values start:rate:full (e.g. "10:30:60").
57           Cockpit will start refusing authentication attempts with a
58           probability of rate/100 (30%) if there are currently start (10)
59           unauthenticated connections. The probability increases linearly and
60           all connection attempts are refused if the number of
61           unauthenticated connections reaches full (60).
62
63       AllowUnencrypted
64           If true, cockpit will accept unencrypted HTTP connections.
65           Otherwise, it redirects all HTTP connections to HTTPS. Exceptions
66           are connections from localhost and for certain URLs (like /ping).
67           Defaults to false.
68
69       UrlRoot
70           The root URL where you will be serving cockpit. When provided
71           cockpit will expect all requests to be prefixed with the given url.
72           This is mostly useful when you are using cockpit behind a reverse
73           proxy, such as nginx.  /cockpit/ and /cockpit+ are reserved and
74           should not be used. For example /cockpit-new/ is ok.  /cockpit/ and
75           /cockpit+new/ are not.
76
77       ClientCertAuthentication
78           If true, enable TLS client certificates for authenticating users.
79           Commonly these are provided by a smart card, but it's equally
80           possible to import certificates directly into the web browser.
81           Please see the Certificate/smart card authentication[1] section in
82           the Cockpit guide for details.
83
84       Shell
85           The relative URL to top level component to display in Cockpit once
86           logged in. Defaults to /shell/index.html
87

LOG

89       Fatal
90           The kind of log messages in the bridge to treat as fatal. Separate
91           multiple values with spaces. Relevant values are: criticals and
92           warnings.
93

OAUTH

95       Cockpit can be configured to support the implicit grant[2] OAuth
96       authorization flow. When successful the resulting oauth token will be
97       passed to cockpit-ws using the Bearer auth-scheme. For a login to be
98       successful, cockpit will also need a to be configured to verify and
99       allow Bearer tokens.
100
101       URL
102           This is the url that cockpit will redirect the users browser to
103           when it needs to obtain an oauth token. Cockpit will add a
104           redirect_uri parameter to the url with the location of where the
105           oauth provider should redirect to once a token has been obtained.
106
107       ErrorParam
108           When a oauth provider redirects a user back to cockpit, look for
109           this parameter in the querystring or fragment portion of the url to
110           find a error message. When not provided it will default to
111           error_description
112
113       TokenParam
114           When a oauth provider redirects a user back to cockpit, look for
115           this parameter in the querystring or fragment portion of the url to
116           find the access token. When not provided it will default to
117           access_token
118

SESSION

120       Banner
121           The contents of the specified file (commonly /etc/issue) are shown
122           on the login page. By default, no banner is displayed.
123
124       IdleTimeout
125           Time in minutes after which session expires and user is logged out
126           if no user action has been performed in the given time. This idle
127           timeout only applies to interactive password logins. With
128           non-interactive authentication methods like Kerberos, OAuth, or
129           certificate login, the browser cannot forget credentials, and thus
130           automatic logouts are not useful for protecting credentials of
131           forgotten sessions. Set to 0 to disable session timeout.
132
133               [Session]
134               IdleTimeout=15
135           When not specified, there is no idle timeout by default.
136

BUGS

138       Please send bug reports to either the distribution bug tracker or the
139       upstream bug tracker[3].
140

AUTHOR

142       Cockpit has been written by many contributors[4].
143

SEE ALSO

145       cockpit-ws(8), cockpit-tls(8)
146

NOTES

148        1. Certificate/smart card authentication
149           https://cockpit-project.org/guide/latest/cert-authentication.html
150
151        2. implicit grant
152           https://tools.ietf.org/html/rfc6749#section-4.2
153
154        3. upstream bug tracker
155           https://github.com/cockpit-project/cockpit/issues/new
156
157        4. contributors
158           https://github.com/cockpit-project/cockpit/
159
160
161
162cockpit                           03/31/2021                   COCKPIT.CONF(5)
Impressum