cockpit.confcockpit.conf — Cockpit configuration file |
DESCRIPTION
Cockpit can be configured via /etc/cockpit/cockpit.conf. If $XDG_CONFIG_DIRS
is set, then the first path containing a ../cockpit/cockpit.conf
is used
instead. Other configuration files and directories are searched for in the same way.
This file is not required and may need to be created manually. The file has a INI file syntax and thus contains key / value pairs, grouped into topical groups. See the examples below for details.
Note: The port that cockpit listens on cannot be changed in this file. To change
the port change the systemd cockpit.socket
file.
WebService
|
By default cockpit will not accept crossdomain websocket connections. Use this setting to allow access from alternate domains. Origins should include scheme, host and port, if necessary. [WebService] Origins = https://somedomain1.com https://somedomain2.com:9090 |
|
Configure cockpit to look at the contents of this header to determine if a connection is using tls. This should only be used when cockpit is behind a reverse proxy, and care should be taken to make sure that incoming requests cannot set this header. [WebService] ProtocolHeader = X-Forwarded-Proto |
|
Configure cockpit to look at the contents of this header to determine the real origin of a connection. This should only be used when cockpit is behind a reverse proxy, and care should be taken to make sure that incoming requests cannot set this header. [WebService] ForwardedForHeader = X-Forwarded-For |
|
Set the browser title for the login screen. |
|
When set to If cockpit-ws is exposed to the public internet, and also has access to a private
internal network, it is recommended to explicitly set |
|
When set to |
|
When set to When connecting to multiple servers, JavaScript runs without isolation. All systems will be vulnerable to potential attacks from other connected hosts. Enable this option only when all hosts are trusted. |
|
Same as the sshd configuration option by the same name. Specifies the maximum number of concurrent login attempts allowed. Additional connections will be dropped until authentication succeeds or the connections are closed. Defaults to 10. Alternatively, random early drop can be enabled by specifying the
three colon separated values |
|
If true, cockpit will accept unencrypted HTTP connections. Otherwise, it
redirects all HTTP connections to HTTPS. Exceptions are connections from
localhost and for certain URLs (like |
|
The root URL where you will be serving cockpit. When provided cockpit will expect all
requests to be prefixed with the given url. This is mostly useful when you are using
cockpit behind a reverse proxy, such as nginx. |
|
If true, enable TLS client certificates for authenticating users. Commonly these are provided by a smart card, but it's equally possible to import certificates directly into the web browser. Please see the Certificate/smart card authentication section in the Cockpit guide for details. |
|
The relative URL to top level component to display in Cockpit once logged in.
Defaults to |
Log
|
The kind of log messages in the bridge to treat as fatal. Separate multiple values
with spaces. Relevant values are: |
OAuth
Cockpit can be configured to support the
implicit grant OAuth authorization flow. When successful the resulting oauth
token will be passed to cockpit-ws using the Bearer
auth-scheme.
For a login to be successful, cockpit will also need a to be configured to verify
and allow Bearer
tokens.
|
This is the url that cockpit will redirect the users browser to when it needs to obtain an oauth token. Cockpit will add a redirect_uri parameter to the url with the location of where the oauth provider should redirect to once a token has been obtained. |
|
When a oauth provider redirects a user back to cockpit, look for this parameter
in the querystring or fragment portion of the url to find a error message. When not
provided it will default to |
|
When a oauth provider redirects a user back to cockpit, look for this parameter
in the querystring or fragment portion of the url to find the access token. When not
provided it will default to |
Session
|
The contents of the specified file (commonly |
|
Time in minutes after which session expires and user is logged out if no user action
has been performed in the given time. This idle timeout only applies to interactive password logins.
With non-interactive authentication methods like Kerberos, OAuth, or certificate login, the browser
cannot forget credentials, and thus automatic logouts are not useful for protecting credentials
of forgotten sessions. Set to [Session] IdleTimeout=15 When not specified, there is no idle timeout by default. |
|
Whether to warn before connecting to remote hosts from the Shell. Defaults to true. [Session] WarnBeforeConnecting=false |