Skip to content

Using openITCOCKPIT behind a reverse proxy

Hint

hint To be able to use openITCOCKPIT behind a reverse proxy, no adjustments have to be made to the openITCOCKPIT web server configuration!

This documentation describes how openITCOCKPIT can be run behind an Nginx or Apache2 reverse proxy.

You will need to replace the values in the example configurations below with your own values.

Value Description
openitcockpit.example.org Subdomain used to call up the openITCOCKPIT web front end.
/etc/ssl/certs/ssl-cert-snakeoil{.pem|.key} File path to the TLS certificate used to activate HTTPS
207.154.223.22 Public IPv4 address of the reverse proxy
157.230.114.24 Internal IPv4 address of the openITCOCKPIT server

Nginx as a reverse proxy

Copy the following configuration to /etc/nginx/sites-available/openitcockpit-proxy

server {
    listen 80;
    listen [::]:80;
    server_name  openitcockpit.example.org;

    server_tokens off;
    return 301 https://$host$request_uri;
}

server {

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name  openitcockpit.example.org;

    server_tokens off;

    # Set the IP Address or FQDN of your openITCOCKPIT Monitoring Server here
    set $oitcserver 157.230.114.24;

    # Set the TLS certificate you like to use - for example Let’s Encrypt
    ssl_certificate     /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    # Proxy openITCOCKPIT HTTP requests
    location / {
        proxy_pass https://$oitcserver;
        proxy_ssl_verify off;

        proxy_set_header Host      $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    # Proxy Web Socket Connections
    location ~ ^/(sudo_server|push_notifications|nsta)$ {
        proxy_pass https://$oitcserver;
        proxy_ssl_verify off;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Please make sure you have amended all IP addresses to reflect your actual system values. Finally, your new configuration must be activated:

ln -s /etc/nginx/sites-available/openitcockpit-proxy /etc/nginx/sites-enabled/openitcockpit-proxy
systemctl restart nginx

openITCOCKPIT should now be accessible via your reverse proxy.

Apache2 as a reverse proxy

Copy the following configuration to /etc/apache2/sites-available/openitcockpit-proxy.conf

<VirtualHost 207.154.223.22:80>
  ServerName openitcockpit.example.org
  Redirect / https://openitcockpit.example.org/

  ErrorLog ${APACHE_LOG_DIR}/openitcockpit_error.log
  CustomLog ${APACHE_LOG_DIR}/openitcockpit_access.log combined
</VirtualHost>

<VirtualHost 207.154.223.22:443>
  ServerName openitcockpit.example.org

  # Set the IP Address or FQDN of your openITCOCKPIT Monitoring Server here
  Define oitcserver 157.230.114.24

  ServerSignature Off

  # HTTPS
  SSLEngine on
  SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
  SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem

  # Logging
  ErrorLog ${APACHE_LOG_DIR}/openitcockpit_error.log
  CustomLog ${APACHE_LOG_DIR}/openitcockpit_access.log combined

  # Reverse Proxy Settings
  ProxyPreserveHost On
  SSLProxyEngine On
  SSLProxyCheckPeerName Off

  RequestHeader set X-Forwarded-Proto "https"
  RequestHeader set X-Forwarded-Port "443"
  RequestHeader set X-Forwarded-Ssl on

  # Proxy WebSocket requests
  RewriteEngine On
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)            wss://${oitcserver}/$1 [P,L]

  ProxyPass / https://${oitcserver}/
  # If you use a FQDN for external access
  ProxyPassReverse / https://openitcockpit.example.org/
  # If you use an ip address for external access
  #ProxyPassReverse / https://207.154.223.22/

</VirtualHost>

Please make sure you have amended all IP addresses to reflect your actual system values. To activate the new configuration, the required Apache modules must be loaded first.

a2enmod http2
a2enmod ssl
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_wstunnel
a2enmod headers
a2enmod rewrite

Finally, your new configuration must be activated:

a2ensite openitcockpit-proxy
systemctl restart apache2