Cockpit's cockpit-ws
component is configured by default to accept
connections on port 9090
. This is the port that is documented for a
"Web-based System Manager" to listen on. It is also relatively memorable.
However there are many reasons you may wish to change the default port. For
example other software may use port 9090
or you may wish to setup
Cockpit to listen on 443
instead. It is also possible to have Cockpit
only listen on one specific IP address.
Note that it is only required to have Cockpit listening on a TCP port on
the server that you access with your web browser. If you add multiple servers
with host switcher, Cockpit will connect to those servers via
ssh
.
The systems that Cockpit runs on are typically locked down with firewalls, SELinux, so changing the default port is not as easy as editing a configuration file.
On servers with
systemd
Cockpit starts on demand via socket activation. To change its port and/or address
you should place the following content in the
/etc/systemd/system/cockpit.socket.d/listen.conf
file. Create the file
and directories in that path which not already exist. The ListenStream
option specifies the desired address and TCP port.
[Socket] ListenStream= ListenStream=443
[Socket] ListenStream= ListenStream=192.168.1.1:443 FreeBind=yes
NOTE: The first empty line is intentional. systemd
allows multiple Listen
directives to be declared in a single socket unit. To change the activation port instead of adding a second port, use a full override unit instead of a snippet.
The FreeBind
option is highly recommended when defining specific IP addresses. See the systemd.socket
manpage for details.
Cockpit can actually listen on multiple ports, also:
[Socket] ListenStream= ListenStream=443 ListenStream=7777
As above, it's recommended to start with an override unit, otherwise it's possible one of your multiple listen addresses might conflict.
In order for the changes to take effect, run the following commands:
$ sudo systemctl daemon-reload $ sudo systemctl restart cockpit.socket
If SELinux is protecting your server, then you will need to tell it to allow Cockpit to listen on the new port. Run the following command to do so. The last argument specifies the desired TCP port.
$ sudo semanage port -a -t websm_port_t -p tcp 9999
If the port is already defined by some other part of the SELinux policy, then
you will need to use the -m
argument to modify the definition. That's
the case with the 443
SSL port, which is typically defined as an
http_port_t
port.
$ sudo semanage port -m -t websm_port_t -p tcp 443
The changes should take effect immediately.
If Firewalld is configured as your firewall, then you will need to tell it to allow Cockpit to receive connections on the new port. Run the following commands to do so. The last options specify the desired TCP port.
$ sudo firewall-cmd [--zone=ZONE] --add-port=443/tcp $ sudo firewall-cmd --permanent [--zone=ZONE] --add-port=443/tcp