cockpit.conf.5.html

---
layout: guide
---
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>cockpit.conf</title>
<meta name="generator" content="DocBook XSL Stylesheets Vsnapshot">
<link rel="home" href="index.html" title="Cockpit Guide">
<link rel="up" href="cockpit-manual.html" title="Manual pages">
<link rel="prev" href="cockpit-manual.html" title="Manual pages">
<link rel="next" href="cockpit-ws.8.html" title="cockpit-ws">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="cockpit-manual.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="cockpit-manual.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">Cockpit Guide</th>
<td><a accesskey="n" href="cockpit-ws.8.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="refentry">
<a name="cockpit.conf.5"></a><div class="titlepage"></div>
<div class="refnamediv"><table width="100%"><tr>
<td valign="top">
<h2><span class="refentrytitle">cockpit.conf</span></h2>
<p>cockpit.conf — Cockpit configuration file</p>
</td>
<td valign="top" align="right"></td>
</tr></table></div>
<div class="refsect1">
<a name="cockpit-conf-description"></a><h2>DESCRIPTION</h2>
<p>
    Cockpit can be configured via /etc/cockpit/cockpit.conf. If <code class="code">$XDG_CONFIG_DIRS</code>
    is set, then the first path containing a <code class="filename">../cockpit/cockpit.conf</code> is used
    instead. Other configuration files and directories are searched for in the same way.</p>
<p>
    This file is not required and may need to be created manually.  The file has a INI file
    syntax and thus contains key / value pairs, grouped into topical groups. See the examples
    below for details. </p>
<p>Note: The port that cockpit listens on cannot be changed in this file. To change
    the port change the systemd <code class="filename">cockpit.socket</code> file.</p>
</div>
<div class="refsect1">
<a name="cockpit-conf-webservice"></a><h2>WebService</h2>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">Origins</code></span></p></td>
<td>
<p>By default cockpit will not accept crossdomain websocket connections. Use this
            setting to allow access from alternate domains. Origins should include scheme, host
            and port, if necessary. Wildcards and glob expressions are permitted.</p>
<div class="informalexample"><pre class="programlisting">
[WebService]
Origins = https://somedomain1.com https://somedomain2.com:9090 https://*.somedomain3.com
</pre></div>
</td>
</tr>
<tr>
<td><p><span class="term"><code class="option">ProtocolHeader</code></span></p></td>
<td>
<p>Configure cockpit to look at the contents of this header to determine if a connection
          is using tls. This should only be used when cockpit is behind a reverse proxy, and care
          should be taken to make sure that incoming requests cannot set this header.</p>
<div class="informalexample"><pre class="programlisting">
[WebService]
ProtocolHeader = X-Forwarded-Proto
</pre></div>
</td>
</tr>
<tr>
<td><p><span class="term"><code class="option">ForwardedForHeader</code></span></p></td>
<td>
<p>Configure cockpit to look at the contents of this header to determine the real origin of a
          connection.  This should only be used when cockpit is behind a reverse proxy, and care
          should be taken to make sure that incoming requests cannot set this header.</p>
<div class="informalexample"><pre class="programlisting">
[WebService]
ForwardedForHeader = X-Forwarded-For
</pre></div>
</td>
</tr>
<tr>
<td><p><span class="term"><code class="option">LoginTitle</code></span></p></td>
<td><p>Set the browser title for the login screen.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">LoginTo</code></span></p></td>
<td>
<p>When set to <code class="literal">true</code> the <span class="emphasis"><em>Connect to</em></span> option
            on the login screen is visible and allows logging into another server. When set to
            <code class="literal">false</code>, direct remote logins are disallowed. If this option is not specified
            then it will be automatically detected based on whether the
            <span class="command"><strong>cockpit-bridge</strong></span> package is installed and the <span class="command"><strong>ssh</strong></span>
            program is available.</p>
<p>If cockpit-ws is exposed to the public internet, and also has access to a private
            internal network, it is recommended to explicitly set <code class="literal">LoginTo=false</code>. This prevents
            unauthenticated remote attackers from scanning the internal network for existing machines
            and open ports.</p>
</td>
</tr>
<tr>
<td><p><span class="term"><code class="option">RequireHost</code></span></p></td>
<td><p>When set to <code class="literal">true</code> cockpit will require users to use the
            <span class="emphasis"><em>Connect to</em></span> option to specify the host to log into.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">AllowMultiHost</code></span></p></td>
<td>
<p>
            When set to <code class="literal">true</code>, cockpit will allow
            users to connect to multiple hosts in one session. The
            default is OS specific.
          </p>
<p>
            When connecting to multiple servers, JavaScript runs
            without isolation. All systems will be vulnerable to
            potential attacks from other connected hosts. Enable this
            option <span class="emphasis"><em>only</em></span> when all hosts are
            trusted.
          </p>
</td>
</tr>
<tr>
<td><p><span class="term"><code class="option">MaxStartups</code></span></p></td>
<td>
<p>Same as the <span class="command"><strong>sshd</strong></span> configuration option by the same name.
            Specifies the maximum number of concurrent login attempts
            allowed. Additional connections will be dropped until authentication
            succeeds or the connections are closed. Defaults to 10.</p>
<p>Alternatively, random early drop can be enabled by specifying the
             three colon separated values <code class="literal">start:rate:full</code> (e.g.
             "10:30:60"). Cockpit will start refusing authentication attempts with a
             probability of <code class="literal">rate/100</code> (30%) if there are currently
             <code class="literal">start</code> (10) unauthenticated connections.  The probability
             increases linearly and all connection attempts are refused if the
             number of unauthenticated connections reaches <code class="literal">full</code> (60).</p>
</td>
</tr>
<tr>
<td><p><span class="term"><code class="option">AllowUnencrypted</code></span></p></td>
<td><p>If true, cockpit will accept unencrypted HTTP connections. Otherwise, it
            redirects all HTTP connections to HTTPS. Exceptions are connections from
            localhost and for certain URLs (like <code class="code">/ping</code>). Defaults to
            false.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">UrlRoot</code></span></p></td>
<td><p>The root URL where you will be serving cockpit. When provided cockpit will expect all
          requests to be prefixed with the given url. This is mostly useful when you are using
          cockpit behind a reverse proxy, such as nginx. <code class="code">/cockpit/</code> and <code class="code">/cockpit+</code>
          are reserved and should not be used. For example <code class="code">/cockpit-new/</code> is ok.
          <code class="code">/cockpit/</code> and <code class="code">/cockpit+new/</code> are not.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">ClientCertAuthentication</code></span></p></td>
<td><p>If true, enable TLS client certificates for authenticating users. Commonly
            these are provided by a smart card, but it's equally possible to import
            certificates directly into the web browser. Please see the
            <a class="ulink" href="https://cockpit-project.org/guide/latest/cert-authentication.html" target="_top">Certificate/smart card authentication</a>
            section in the Cockpit guide for details.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">Shell</code></span></p></td>
<td><p>The relative URL to top level component to display in Cockpit once logged in.
            Defaults to <code class="code">/shell/index.html</code></p></td>
</tr>
</tbody>
</table></div>
</div>
<div class="refsect1">
<a name="cockpit-conf-log"></a><h2>Log</h2>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody><tr>
<td><p><span class="term"><code class="option">Fatal</code></span></p></td>
<td><p>The kind of log messages in the bridge to treat as fatal. Separate multiple values
            with spaces. Relevant values are: <code class="code">criticals</code> and <code class="code">warnings</code>.</p></td>
</tr></tbody>
</table></div>
</div>
<div class="refsect1">
<a name="cockpit-conf-oauth"></a><h2>OAuth</h2>
<p>Cockpit can be configured to support the <a class="ulink" href="https://tools.ietf.org/html/rfc6749#section-4.2" target="_top">
        implicit grant</a> OAuth authorization flow. When successful the resulting oauth
        token will be passed to cockpit-ws using the <code class="literal">Bearer</code> auth-scheme.
        For a login to be successful, cockpit will also need a to be configured to verify
        and allow <code class="literal">Bearer</code> tokens.</p>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">URL</code></span></p></td>
<td><p>This is the url that cockpit will redirect the users browser to when it needs
          to obtain an oauth token. Cockpit will add a redirect_uri parameter to the url with
          the location of where the oauth provider should redirect to once a token has been
          obtained.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">ErrorParam</code></span></p></td>
<td><p>When a oauth provider redirects a user back to cockpit, look for this parameter
          in the querystring or fragment portion of the url to find a error message. When not
          provided it will default to <code class="literal">error_description</code></p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">TokenParam</code></span></p></td>
<td><p>When a oauth provider redirects a user back to cockpit, look for this parameter
          in the querystring or fragment portion of the url to find the access token. When not
          provided it will default to <code class="literal">access_token</code></p></td>
</tr>
</tbody>
</table></div>
</div>
<div class="refsect1">
<a name="cockpit-conf-session"></a><h2>Session</h2>
<div class="variablelist"><table border="0" class="variablelist">
<colgroup>
<col align="left" valign="top">
<col>
</colgroup>
<tbody>
<tr>
<td><p><span class="term"><code class="option">Banner</code></span></p></td>
<td><p>The contents of the specified file (commonly <code class="literal">/etc/issue</code>) are shown on the login page.
          By default, no banner is displayed.</p></td>
</tr>
<tr>
<td><p><span class="term"><code class="option">IdleTimeout</code></span></p></td>
<td>
<p>Time in minutes after which session expires and user is logged out if no user action
          has been performed in the given time. This idle timeout only applies to interactive password logins.
          With non-interactive authentication methods like Kerberos, OAuth, or certificate login, the browser
          cannot forget credentials, and thus automatic logouts are not useful for protecting credentials
          of forgotten sessions. Set to <code class="literal">0</code> to disable session timeout.</p>
<div class="informalexample"><pre class="programlisting">
[Session]
IdleTimeout=15
</pre></div>
<p>When not specified, there is no idle timeout by default.</p>
</td>
</tr>
<tr>
<td><p><span class="term"><code class="option">WarnBeforeConnecting</code></span></p></td>
<td>
<p>Whether to warn before connecting to remote hosts from the Shell. Defaults to true.</p>
<div class="informalexample"><pre class="programlisting">
[Session]
WarnBeforeConnecting=false
</pre></div>
</td>
</tr>
</tbody>
</table></div>
</div>
<div class="refsect1">
<a name="cockpit-conf-bugs"></a><h2>BUGS</h2>
<p>
      Please send bug reports to either the distribution bug tracker or the
      <a class="ulink" href="https://github.com/cockpit-project/cockpit/issues/new" target="_top">upstream bug tracker</a>.
    </p>
</div>
<div class="refsect1">
<a name="cockpit-conf-author"></a><h2>AUTHOR</h2>
<p>Cockpit has been written by many
      <a class="ulink" href="https://github.com/cockpit-project/cockpit/" target="_top">contributors</a>.</p>
</div>
<div class="refsect1">
<a name="cockpit-conf-also"></a><h2>SEE ALSO</h2>
<p>
      <span class="citerefentry"><span class="refentrytitle">cockpit-ws</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">cockpit-tls</span>(8)</span>
    </p>
</div>
</div>
<div class="footer"><hr></div>
</body>
</html>