1. Edit /etc/apt/sources.list file or create new file /etc/apt/sources.list.d/Backports.list and add below lines
#deb http://ftp.debian.org/debian/ stretch-backports main contrib non-free
#deb http://packages.prosody.im/debian stretch main
#deb https://apt.dockerproject.org/repo debian-stretch main
2. Install cockpit package
#sudo apt-get update
#sudo apt-get install cockpit
3. Manage SSL certificate for cockpit (by using existing SSL certifcates)
#cat /etc/cockpit/ws-certs.d/cockpit.base.cert > /etc/cockpit/ws-certs.d/0-self-signed.cert
#cat /etc/ssl/certs/web/mydomain.com/fullchain.pem >> /etc/cockpit/ws-certs.d/0-self-signed.cert
#systemctl reload cockpit
4. Configure apache2 for SSL certificate and redirection
Create a file /etc/apache2/sites-available/cockpit.conf and and put the entries given below
<VirtualHost *:80>
ServerName cockpit.mydomain.com
Redirect permanent / https://cockpit.mydomain.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName cockpit.mydomain.com
SSLCertificateFile /etc/ssl/certs/web/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/ssl/certs/web/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyPreserveHost On
ProxyRequests Off
# allow for upgrading to websockets
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:9090/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://127.0.0.1:9090/$1 [P,L]
# Proxy to your local cockpit instance
ProxyPass / http://127.0.0.1:9090/
ProxyPassReverse / http://127.0.0.1:9090/
</VirtualHost>
</IfModule>
5. Configure IPTables to drop requests on 9090 from world
#iptables -A INPUT -p tcp -s 127.0.0.1 --dport 9090 -j ACCEPT
#iptables -A INPUT -p tcp --dport 9090 -j DROP
6. Enable Apache Configuration
#ln -s /etc/apache2/sites-available/cockpit.conf /etc/apache2/sites-enabled/cockpit.conf
#systemctl reload apache2
Summary:
After this setup web terminal cockpit will be available only on https://cockpit.mydomain.com and https://cockpit.mydomain.com:9090 will not work