1COCKPIT.CONF(5) cockpit.conf COCKPIT.CONF(5)
2
3
4
6 cockpit.conf - Cockpit configuration file
7
9 Cockpit can be configured via /etc/cockpit/cockpit.conf. This file is
10 not required and may need to be created manually. The file has a INI
11 file syntax and thus contains key / value pairs, grouped into topical
12 groups. See the examples below for details..
13
14 Note: The port that cockpit listens on cannot be changed in this file.
15 To change the port change the systemd cockpit.socket file.
16
18 Origins
19 By default cockpit will not accept crossdomain websocket
20 connections. Use this setting to allow access from alternate
21 domains. Origins should include scheme, host and port, if
22 necessary.
23
24 [WebService]
25 Origins = https://somedomain1.com https://somedomain2.com:9090
26
27 ProtocolHeader
28 Configure cockpit to look at the contents of this header to
29 determine if a connection is using tls. This should only be used
30 when cockpit is behind a reverse proxy, and care should be taken to
31 make sure that incoming requests cannot set this header.
32
33 [WebService]
34 ProtocolHeader = X-Forwarded-Proto
35
36 ForwardedForHeader
37 Configure cockpit to look at the contents of this header to
38 determine the real origin of a connection. This should only be used
39 when cockpit is behind a reverse proxy, and care should be taken to
40 make sure that incoming requests cannot set this header.
41
42 [WebService]
43 ForwardedForHeader = X-Forwarded-For
44
45 LoginTitle
46 Set the browser title for the login screen.
47
48 LoginTo
49 When set to true the Connect to option on the login screen is
50 visible and allows logging into another server. If this option is
51 not specified then it will be automatically detected based on
52 whether the cockpit-ssh process is available or not.
53
54 RequireHost
55 When set to true cockpit will require users to use the Connect to
56 option to specify the host to log into.
57
58 MaxStartups
59 Same as the sshd configuration option by the same name. Specifies
60 the maximum number of concurrent login attempts allowed. Additional
61 connections will be dropped until authentication succeeds or the
62 connections are closed. Defaults to 10.
63
64 Alternatively, random early drop can be enabled by specifying the
65 three colon separated values start:rate:full (e.g. "10:30:60").
66 Cockpit will start refusing authentication attempts with a
67 probability of rate/100 (30%) if there are currently start (10)
68 unauthenticated connections. The probability increases linearly and
69 all connection attempts are refused if the number of
70 unauthenticated connections reaches full (60).
71
72 AllowUnencrypted
73 If true, cockpit will accept unencrypted HTTP connections.
74 Otherwise, it redirects all HTTP connections to HTTPS. Exceptions
75 are connections from localhost and for certain URLs (like /ping).
76 Defaults to false.
77
78 UrlRoot
79 The root URL where you will be serving cockpit. When provided
80 cockpit will expect all requests to be prefixed with the given url.
81 This is mostly useful when you are using cockpit behind a reverse
82 proxy, such as nginx. /cockpit/ and /cockpit+ are reserved and
83 should not be used. For example /cockpit-new/ is ok. /cockpit/ and
84 /cockpit+new/ are not.
85
86 ClientCertAuthentication
87 If true, enable TLS client certificates for authenticating users.
88 Commonly these are provided by a smart card, but it's equally
89 possible to import certificates directly into the web browser.
90 Please see the Certificate/smart card authentication[1] section in
91 the Cockpit guide for details.
92
93 Shell
94 The relative URL to top level component to display in Cockpit once
95 logged in. Defaults to /shell/index.html
96
98 Fatal
99 The kind of log messages in the bridge to treat as fatal. Separate
100 multiple values with spaces. Relevant values are: criticals and
101 warnings.
102
104 Cockpit can be configured to support the implicit grant[2] OAuth
105 authorization flow. When successful the resulting oauth token will be
106 passed to cockpit-ws using the Bearer auth-scheme. For a login to be
107 successful, cockpit will also need a to be configured to verify and
108 allow Bearer tokens.
109
110 URL
111 This is the url that cockpit will redirect the users browser to
112 when it needs to obtain an oauth token. Cockpit will add a
113 redirect_uri parameter to the url with the location of where the
114 oauth provider should redirect to once a token has been obtained.
115
116 ErrorParam
117 When a oauth provider redirects a user back to cockpit, look for
118 this parameter in the querystring or fragment portion of the url to
119 find a error message. When not provided it will default to
120 error_description
121
122 TokenParam
123 When a oauth provider redirects a user back to cockpit, look for
124 this parameter in the querystring or fragment portion of the url to
125 find the access token. When not provided it will default to
126 access_token
127
129 Banner
130 The contents of the specified file (commonly /etc/issue) are shown
131 on the login page. By default, no banner is displayed.
132
133 IdleTimeout
134 Time in minutes after which session expires and user is logged out
135 if no user action has been performed in the given time. This idle
136 timeout only applies to interactive password logins. With
137 non-interactive authentication methods like Kerberos, OAuth, or
138 certificate login, the browser cannot forget credentials, and thus
139 automatic logouts are not useful for protecting credentials of
140 forgotten sessions. Set to 0 to disable session timeout.
141
142 [Session]
143 IdleTimeout=15
144 When not specified, there is no idle timeout by default.
145
147 Please send bug reports to either the distribution bug tracker or the
148 upstream bug tracker[3].
149
151 Cockpit has been written by many contributors[4].
152
154 cockpit-ws(8), cockpit-tls(8)
155
157 1. Certificate/smart card authentication
158 https://cockpit-project.org/guide/latest/cert-authentication.html
159
160 2. implicit grant
161 https://tools.ietf.org/html/rfc6749#section-4.2
162
163 3. upstream bug tracker
164 https://github.com/cockpit-project/cockpit/issues/new
165
166 4. contributors
167 https://github.com/cockpit-project/cockpit/
168
169
170
171cockpit 01/25/2023 COCKPIT.CONF(5)