Context:
I have an ec2 ubnutu 20.04.5 LTS instance - which sits in a vpc with no public ip.
On that, I have nginx:1.23.2 running in a container and cockpit installed directly on the host.
The way it is currently configured, if I visit my private ip in the browser while on vpn, I am able to reach the login screen for cockpit. For example http://10.235.66.23/ leads me to login.
When I attempt to login with the correct credentials (both for root and sudo users,) it leads to the exact same page I started with: login.
inspecting the browser:
GENERAL
Request URL: http://10.235.66.23/cockpit/login
Request Method: GET
Status Code: 401 Authentication failed
Remote Address: 10.235.66.22:80
Referrer Policy: no-referrer
RESPONSE HEADERS
Connection: keep-alive
Content-Type: text/html; charset=utf8
Cross-Origin-Resource-Policy: same-origin
Date: Sun, 25 Dec 2022 23:42:41 GMT
Referrer-Policy: no-referrer
Server: nginx/1.23.2
Transfer-Encoding: chunked
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
REQUEST HEADERS
X-Frame-Options: sameorigin
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Connection: keep-alive
DNT: 1
Host: 10.235.66.23
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
The status code Status Code: 401 Authentication failed doesn't add up, because these credentials are good. I've also made sure to have /etc/ssh/sshd_config allow password use.
the nginx container is configured to listen on ports 8080 and 4430 - and firewalld has the ports forwarding:
my_zone (active)
target: DROP
icmp-block-inversion: no
interfaces:
sources: 10.0.0.0/8
services: cockpit
ports: 22/tcp 8081/tcp 4431/tcp 80/tcp 443/tcp 8080/tcp
protocols:
masquerade: yes
forward-ports: port=80:proto=tcp:toport=8081:toaddr=
port=443:proto=tcp:toport=4431:toaddr=
source-ports:
icmp-blocks:
rich rules:
NGINX configuration:
server {
listen 8081;
listen 4431;
server_name 10.235.66.23;
location / {
# Required to proxy the connection to Cockpit
proxy_pass https://127.0.0.1:9091;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
# Required for web sockets to function
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Pass ETag header from Cockpit to clients.
# See: https://github.com/cockpit-project/cockpit/issues/5239
gzip off;
}
location = /testapp {
proxy_pass https://127.0.0.1:8082;
}
}
you might have noticed the port is 9091, i have changed it here:
/usr/lib/systemd/system/cockpit.socket and here: /usr/share/cockpit/motd/update-motd
and when I check the cockpit and cockpit.socket status with systemctl:
● cockpit.service - Cockpit Web Service
Loaded: loaded (/lib/systemd/system/cockpit.service; static; vendor preset: enabled)
Active: inactive (dead) since Sun 2022-12-25 18:44:12 EST; 7min ago
TriggeredBy: ● cockpit.socket
Docs: man:cockpit-ws(8)
Process: 1106981 ExecStartPre=/usr/lib/cockpit/cockpit-certificate-ensure --for-cockpit-tls (code=exited, status=0/SUCCESS)
Process: 1106982 ExecStart=/usr/lib/cockpit/cockpit-tls (code=exited, status=0/SUCCESS)
Main PID: 1106982 (code=exited, status=0/SUCCESS)
Dec 25 18:42:39 ip-10-235-66-23 systemd[1]: Starting Cockpit Web Service...
Dec 25 18:42:39 ip-10-235-66-23 systemd[1]: Started Cockpit Web Service.
Dec 25 18:44:12 ip-10-235-66-23 systemd[1]: cockpit.service: Succeeded.
everything is good.
when i run sudo journalctl -xe, i have no issues. when i look at the nginx output:
10.118.46.12 - admin[25/Dec/2022:23:53:47 +0000] "GET /cockpit/login HTTP/1.1" 200 81 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:47 +0000] "GET / HTTP/1.1" 200 11105 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:47 +0000] "GET /cockpit/static/login.js HTTP/1.1" 200 15897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:47 +0000] "GET /cockpit/static/login.css HTTP/1.1" 200 12201 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:48 +0000] "GET /cockpit/static/branding.css HTTP/1.1" 200 500 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:49 +0000] "GET /cockpit/static/logo.png HTTP/1.1" 200 2971 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:49 +0000] "GET /cockpit/static/bg-plain.jpg HTTP/1.1" 200 81737 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:49 +0000] "GET /cockpit/login HTTP/1.1" 401 3464 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:49 +0000] "GET /cockpit/static/fonts/RedHatText-Regular.woff2 HTTP/1.1" 200 28396 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
10.118.46.12 - - [25/Dec/2022:23:53:49 +0000] "GET /cockpit/static/fonts/RedHatText-Medium.woff2 HTTP/1.1" 200 29312 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
So, i am really not understanding what is happening. is the authentication not passing through?
/run/cockpit/tls/server has cert.source and key.source - i am assuming the self-certificates are working.
if i create the /etc/cockpit/cockpit.conf file with:
[WebService]
Origins = https://10.235.66.23 127.0.0.1:9091
ProtocolHeader = X-Forwarded-Proto
[Log]
Fatal = /var/log/cockpit.log
[Session]
IdleTimeout=15
same issue.
not sure how to route without a public ip - i don't think you can do a combination like cockpit.<private_ip> since I have tried.
My assumption is, the nginx configuration is not done well.
