Join Log in
Score:0
rnd om avatar Server

Cockpit using Nginx - with private ip only

cn flag
rnd om

Context:

I have an ec2 ubnutu 20.04.5 LTS instance - which sits in a vpc with no public ip.

On that, I have nginx:1.23.2 running in a container and cockpit installed directly on the host.

The way it is currently configured, if I visit my private ip in the browser while on vpn, I am able to reach the login screen for cockpit. For example http://10.235.66.23/ leads me to login.

When I attempt to login with the correct credentials (both for root and sudo users,) it leads to the exact same page I started with: login.

inspecting the browser:

GENERAL
Request URL: http://10.235.66.23/cockpit/login
Request Method: GET
Status Code: 401 Authentication failed
Remote Address: 10.235.66.22:80
Referrer Policy: no-referrer

RESPONSE HEADERS
Connection: keep-alive
Content-Type: text/html; charset=utf8
Cross-Origin-Resource-Policy: same-origin
Date: Sun, 25 Dec 2022 23:42:41 GMT
Referrer-Policy: no-referrer
Server: nginx/1.23.2
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off

REQUEST HEADERS
X-Frame-Options: sameorigin
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Connection: keep-alive
DNT: 1
Host: 10.235.66.23
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36

The status code Status Code: 401 Authentication failed doesn't add up, because these credentials are good. I've also made sure to have /etc/ssh/sshd_config allow password use.

the nginx container is configured to listen on ports 8080 and 4430 - and firewalld has the ports forwarding:

my_zone (active)
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources: 10.0.0.0/8
  services: cockpit
  ports: 22/tcp 8081/tcp 4431/tcp 80/tcp 443/tcp 8080/tcp
  protocols:
  masquerade: yes
  forward-ports: port=80:proto=tcp:toport=8081:toaddr=
        port=443:proto=tcp:toport=4431:toaddr=
  source-ports:
  icmp-blocks:
  rich rules:

NGINX configuration:

server {
    listen         8081;
    listen         4431;

    server_name    10.235.66.23;

    location / {
        # Required to proxy the connection to Cockpit
        proxy_pass https://127.0.0.1:9091;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for web sockets to function
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Pass ETag header from Cockpit to clients.
        # See: https://github.com/cockpit-project/cockpit/issues/5239
        gzip off;
    }

        location = /testapp {
                proxy_pass https://127.0.0.1:8082;
        }
}

you might have noticed the port is 9091, i have changed it here:

/usr/lib/systemd/system/cockpit.socket and here: /usr/share/cockpit/motd/update-motd

and when I check the cockpit and cockpit.socket status with systemctl:

● cockpit.service - Cockpit Web Service
     Loaded: loaded (/lib/systemd/system/cockpit.service; static; vendor preset: enabled)
     Active: inactive (dead) since Sun 2022-12-25 18:44:12 EST; 7min ago
TriggeredBy: ● cockpit.socket
       Docs: man:cockpit-ws(8)
    Process: 1106981 ExecStartPre=/usr/lib/cockpit/cockpit-certificate-ensure --for-cockpit-tls (code=exited, status=0/SUCCESS)
    Process: 1106982 ExecStart=/usr/lib/cockpit/cockpit-tls (code=exited, status=0/SUCCESS)
   Main PID: 1106982 (code=exited, status=0/SUCCESS)

Dec 25 18:42:39 ip-10-235-66-23 systemd[1]: Starting Cockpit Web Service...
Dec 25 18:42:39 ip-10-235-66-23 systemd[1]: Started Cockpit Web Service.
Dec 25 18:44:12 ip-10-235-66-23 systemd[1]: cockpit.service: Succeeded.

everything is good.

when i run sudo journalctl -xe, i have no issues. when i look at the nginx output:

10.118.46.12 - admin[25/Dec/2022:23:53:47 +0000] "GET /cockpit/login HTTP/1.1" 200 81 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:47 +0000] "GET / HTTP/1.1" 200 11105 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:47 +0000] "GET /cockpit/static/login.js HTTP/1.1" 200 15897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:47 +0000] "GET /cockpit/static/login.css HTTP/1.1" 200 12201 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:48 +0000] "GET /cockpit/static/branding.css HTTP/1.1" 200 500 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:49 +0000] "GET /cockpit/static/logo.png HTTP/1.1" 200 2971 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:49 +0000] "GET /cockpit/static/bg-plain.jpg HTTP/1.1" 200 81737 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:49 +0000] "GET /cockpit/login HTTP/1.1" 401 3464 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:49 +0000] "GET /cockpit/static/fonts/RedHatText-Regular.woff2 HTTP/1.1" 200 28396 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:49 +0000] "GET /cockpit/static/fonts/RedHatText-Medium.woff2 HTTP/1.1" 200 29312 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"

So, i am really not understanding what is happening. is the authentication not passing through?

/run/cockpit/tls/server has cert.source and key.source - i am assuming the self-certificates are working.

if i create the /etc/cockpit/cockpit.conf file with:

[WebService]
Origins = https://10.235.66.23 127.0.0.1:9091
ProtocolHeader = X-Forwarded-Proto

[Log]
Fatal = /var/log/cockpit.log

[Session]
IdleTimeout=15

same issue.

not sure how to route without a public ip - i don't think you can do a combination like cockpit.<private_ip> since I have tried.

My assumption is, the nginx configuration is not done well.

372
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.