cockpit.conf man page

cockpit.conf — Cockpit configuration file


Cockpit can be configured via /etc/cockpit/cockpit.conf. That file has a INI file syntax and thus contains key / value pairs, grouped into topical groups. See the examples below for details..

Note: The port that cockpit listens on cannot be changed in this file. To change the port change the systemd cockpit.socket file.



By default cockpit will not accept crossdomain websocket connections. Use this setting to allow access from alternate domains. Origins should include scheme, host and port, if necessary.

Origins = https://somedomain1.com https://somedomain2.com:9090


Set the browser title for the login screen.


Same as the sshd configuration option by the same name. Specifies the maximum number of concurrent login attempts allowed. Additional connections will be dropped until authentication succeeds or the connections are closed. Defaults to 10.

Alternatively, random early drop can be enabled by specifying the three colon separated values start:rate:full (e.g. "10:30:60"). Cockpit will start refusing authentication attempts with a probability of rate/100 (30%) if there are currently start (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches full (60).


If true, cockpit will accept unencrypted HTTP connections. Otherwise, it redirects all HTTP connections to HTTPS. Exceptions are connections from localhost and for certain URLs (like /ping). Defaults to false.


The root URL where you will be serving cockpit. When provided cockpit will expect all requests to be prefixed with the given url. This is mostly useful when you are using cockpit behind a reverse proxy, such as nginx. /cockpit/ and /cockpit+ are reserved and should not be used. For example /cockpit-new/ is ok. /cockpit/ and /cockpit+new/ are not.


Cockpit can be configured to support the implicit grant[1] OAuth authorization flow. When successful the resulting oauth token will be passed to cockpit-ws using the Bearer auth-scheme. For a login to be successful, cockpit will also need a to be configured to verify and allow Bearer tokens.


This is the url that cockpit will redirect the users browser to when it needs to obtain an oauth token. Cockpit will add a redirect_uri parameter to the url with the location of where the oauth provider should redirect to once a token has been obtained.


When a oauth provider redirects a user back to cockpit, look for this parameter in the querystring or fragment portion of the url to find a error message. When not provided it will default to error_description


When a oauth provider redirects a user back to cockpit, look for this parameter in the querystring or fragment portion of the url to find the access token. When not provided it will default to access_token


Please send bug reports to either the distribution bug tracker or the upstream bug tracker[2].


Cockpit has been written by many contributors[3].

See Also




implicit grant


upstream bug tracker



Referenced By

cockpit(1), cockpit-ws(8).

Explore man page connections for cockpit.conf(5).

cockpit cockpit.conf 10/22/2016