1COCKPIT.CONF(5)                  cockpit.conf                  COCKPIT.CONF(5)
2
3
4

NAME

6       cockpit.conf - Cockpit configuration file
7

DESCRIPTION

9       Cockpit can be configured via /etc/cockpit/cockpit.conf. If
10       $XDG_CONFIG_DIRS is set, then the first path containing a
11       ../cockpit/cockpit.conf is used instead. Other configuration files and
12       directories are searched for in the same way.
13
14       This file is not required and may need to be created manually. The file
15       has a INI file syntax and thus contains key / value pairs, grouped into
16       topical groups. See the examples below for details.
17
18       Note: The port that cockpit listens on cannot be changed in this file.
19       To change the port change the systemd cockpit.socket file.
20

WEBSERVICE

22       Origins
23           By default cockpit will not accept crossdomain websocket
24           connections. Use this setting to allow access from alternate
25           domains. Origins should include scheme, host and port, if
26           necessary.
27
28               [WebService]
29               Origins = https://somedomain1.com https://somedomain2.com:9090
30
31       ProtocolHeader
32           Configure cockpit to look at the contents of this header to
33           determine if a connection is using tls. This should only be used
34           when cockpit is behind a reverse proxy, and care should be taken to
35           make sure that incoming requests cannot set this header.
36
37               [WebService]
38               ProtocolHeader = X-Forwarded-Proto
39
40       ForwardedForHeader
41           Configure cockpit to look at the contents of this header to
42           determine the real origin of a connection. This should only be used
43           when cockpit is behind a reverse proxy, and care should be taken to
44           make sure that incoming requests cannot set this header.
45
46               [WebService]
47               ForwardedForHeader = X-Forwarded-For
48
49       LoginTitle
50           Set the browser title for the login screen.
51
52       LoginTo
53           When set to true the Connect to option on the login screen is
54           visible and allows logging into another server. When set to false,
55           direct remote logins are disallowed. If this option is not
56           specified then it will be automatically detected based on whether
57           the cockpit-ssh process is available or not.
58
59           If cockpit-ws is exposed to the public internet, and also has
60           access to a private internal network, it is recommended to
61           explicitly set LoginTo=false. This prevents unauthenticated remote
62           attackers from scanning the internal network for existing machines
63           and open ports.
64
65       RequireHost
66           When set to true cockpit will require users to use the Connect to
67           option to specify the host to log into.
68
69       MaxStartups
70           Same as the sshd configuration option by the same name. Specifies
71           the maximum number of concurrent login attempts allowed. Additional
72           connections will be dropped until authentication succeeds or the
73           connections are closed. Defaults to 10.
74
75           Alternatively, random early drop can be enabled by specifying the
76           three colon separated values start:rate:full (e.g. "10:30:60").
77           Cockpit will start refusing authentication attempts with a
78           probability of rate/100 (30%) if there are currently start (10)
79           unauthenticated connections. The probability increases linearly and
80           all connection attempts are refused if the number of
81           unauthenticated connections reaches full (60).
82
83       AllowUnencrypted
84           If true, cockpit will accept unencrypted HTTP connections.
85           Otherwise, it redirects all HTTP connections to HTTPS. Exceptions
86           are connections from localhost and for certain URLs (like /ping).
87           Defaults to false.
88
89       UrlRoot
90           The root URL where you will be serving cockpit. When provided
91           cockpit will expect all requests to be prefixed with the given url.
92           This is mostly useful when you are using cockpit behind a reverse
93           proxy, such as nginx.  /cockpit/ and /cockpit+ are reserved and
94           should not be used. For example /cockpit-new/ is ok.  /cockpit/ and
95           /cockpit+new/ are not.
96
97       ClientCertAuthentication
98           If true, enable TLS client certificates for authenticating users.
99           Commonly these are provided by a smart card, but it's equally
100           possible to import certificates directly into the web browser.
101           Please see the Certificate/smart card authentication[1] section in
102           the Cockpit guide for details.
103
104       Shell
105           The relative URL to top level component to display in Cockpit once
106           logged in. Defaults to /shell/index.html
107

LOG

109       Fatal
110           The kind of log messages in the bridge to treat as fatal. Separate
111           multiple values with spaces. Relevant values are: criticals and
112           warnings.
113

OAUTH

115       Cockpit can be configured to support the implicit grant[2] OAuth
116       authorization flow. When successful the resulting oauth token will be
117       passed to cockpit-ws using the Bearer auth-scheme. For a login to be
118       successful, cockpit will also need a to be configured to verify and
119       allow Bearer tokens.
120
121       URL
122           This is the url that cockpit will redirect the users browser to
123           when it needs to obtain an oauth token. Cockpit will add a
124           redirect_uri parameter to the url with the location of where the
125           oauth provider should redirect to once a token has been obtained.
126
127       ErrorParam
128           When a oauth provider redirects a user back to cockpit, look for
129           this parameter in the querystring or fragment portion of the url to
130           find a error message. When not provided it will default to
131           error_description
132
133       TokenParam
134           When a oauth provider redirects a user back to cockpit, look for
135           this parameter in the querystring or fragment portion of the url to
136           find the access token. When not provided it will default to
137           access_token
138

SESSION

140       Banner
141           The contents of the specified file (commonly /etc/issue) are shown
142           on the login page. By default, no banner is displayed.
143
144       IdleTimeout
145           Time in minutes after which session expires and user is logged out
146           if no user action has been performed in the given time. This idle
147           timeout only applies to interactive password logins. With
148           non-interactive authentication methods like Kerberos, OAuth, or
149           certificate login, the browser cannot forget credentials, and thus
150           automatic logouts are not useful for protecting credentials of
151           forgotten sessions. Set to 0 to disable session timeout.
152
153               [Session]
154               IdleTimeout=15
155           When not specified, there is no idle timeout by default.
156

BUGS

158       Please send bug reports to either the distribution bug tracker or the
159       upstream bug tracker[3].
160

AUTHOR

162       Cockpit has been written by many contributors[4].
163

SEE ALSO

165       cockpit-ws(8), cockpit-tls(8)
166

NOTES

168        1. Certificate/smart card authentication
169           https://cockpit-project.org/guide/latest/cert-authentication.html
170
171        2. implicit grant
172           https://tools.ietf.org/html/rfc6749#section-4.2
173
174        3. upstream bug tracker
175           https://github.com/cockpit-project/cockpit/issues/new
176
177        4. contributors
178           https://github.com/cockpit-project/cockpit/
179
180
181
182cockpit                           11/29/2023                   COCKPIT.CONF(5)
Impressum