Reverse Proxy Issue

[AmansRevenger]

• code-server version: v1.1156-vsc1.33.1
• OS Version: Ubuntu 18.04

Description

Reverse Proxy doesnt work at all.

It either results in failed SSL Handshake or

this:

Reverse Proxy Settings with working grafana above:

What am I missing?

[giantcow]

Your proxy pass needs to be http://localhost:8443 not http://giovanni:8443 I believe. I'm not sure where you got giovanni from.

[AmansRevenger]

giovanni is the hostname of the server in the network where the docker containers and services run, nginx itself is a docker container, so localhost wont work...

[fbartels]

To me it seems the issue is that you are trying to proxy Code-Server as a subfolder. AFAIK it has to run in root of the domain.

[AmansRevenger]

So mywebsite.com/vscode would never work?

[fbartels]

No, at least not how it is currently designed. You would need to setup vscode.mywebsite.com.

A lot of programs are designed this way today. With sni and free certs from let's encrypt this is also not much work. Only potential roadblock would be DNS providers not allowing additional DNS entries.

[AmansRevenger]

I already use letsEncrypt, but I dont think I can setup a whole subdomain...

[deansheather]

At the moment (until #722 is merged), code-server doesn't work when it's not mounted at root (/) in your reverse proxy.

You should be able to easily issue a new certificate for a subdomain on your domain through letsencrypt very easily, and then create a new virtual host in nginx.

[abubakar-bilal]

@deansheather I just created a subdomain and added configuration for proxy. But it gives me following error

Nginx conf

server {
  listen 443 ssl;
  server_name ide.mysite.com;

  location / {
    proxy_pass http://localhost:8443;
    proxy_set_header Host            $host:$server_port;
    proxy_set_header X-Forwarded-For $remote_addr;
    add_header 'Access-Control-Allow-Origin' 'https://mysite.com';
    add_header 'Access-Control-Allow-Origin' 'http://localhost';
    add_header 'Access-Control-Allow_Credentials' 'true';
  }
}

Error
WebSocket connection to 'wss://ide.mysite.com/' failed: Error during WebSocket handshake: Unexpected response code: 200

https://ide.mysite.com

[deansheather]

@abubakar-bilal Add the following to your location block:

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;

[abubakar-bilal]

Hey @deansheather

Here is an issue, sub_filter is not working with above #770 (comment) proxy settings. People are saying that because you have gzip enabled therefore it's not working. And when I do this
proxy_set_header Accept-Encoding "";

Code server starts giving me Not Found and console inspect says this

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-jKkgppGJ08cqS5XKPdlf/Mdph8lsIR979iy7r3fw7Mw='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

A bad HTTP response code (404) was received when fetching the script.

Can you please guide me how can I achieve this. I want to use sub_filter on nginx level with proxy pass of code server.

[DarkIrata]

Hey!
Having a running server behind a reverse proxy through nginx.

  listen 443 ssl;
  server_name code.MYDOMAIN.TLD;

  location / {
        # redirect all HTTP traffic
        proxy_pass http://10.0.2.5:8443/;

        proxy_set_header  Host 10.0.2.5:8443;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-Proto https;
        proxy_set_header  X-Forwarded-For $remote_addr;
        proxy_set_header  X-Forwarded-Host $remote_addr;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

...CERTBOT SSL THINGS...

this configuration (even with less proxy_set_header works fine). The reason i have them all is that my problem is that while the reverse proxy works fine, could it be that the forwarded headers gets ignored?
In the code-server log i only see the IP from the nginx server (10.0.2.2).
INFO WebSocket opened / {"client":5,"ip":"10.0.2.2"}

[deansheather]

@abubakar-bilal GH-826 should fix the Accept-Encoding issue you have and allow you to use substitution filters in your reverse proxy.

@DarkIrata code-server doesn't have any mechanism to trust reverse proxies, nor is it needed since code-server doesn't do anything with remote IP addresses (except for logging them). If you'd like to log access to your code-server instance with nginx (or any other reverse proxy), I'd recommend using the access_log.

[yihengli]

@abubakar-bilal GH-826 should fix the Accept-Encoding issue you have and allow you to use substitution filters in your reverse proxy.

Cannot wait to test this fix, as using substitution filters may allow users to add customized styles and fonts resources directly into the browser, potentially a hackaround for #760 .

(Or let me know if there are more native ways for code-server to customized fonts etc.)

[abubakar-bilal]

@deansheather Thanks so much for this fix. I would like to hear how can I test this on my side. Because currently I download the release and running that on my machine. How can I test this PR to see if my issue fixed.

@yihengli Yes if this works, then definitely custom styling issues will be fixed.

Thanks so much for all the support provided by you guys. Really appreciate that.

[deansheather]

You can compile it by checking out my branch and running:

yarn install
NODE_ENV=production VERSION=local-dev yarn task build:server:binary
./packages/server/cli-linux-x64 --help

[deansheather]

BTW, I did end up creating a PR with a --trust-proxy arg: GH-835.

[abubakar-bilal]

You can compile it by checking out my branch and running:

yarn install
NODE_ENV=production VERSION=local-dev yarn task build:server:binary
./packages/server/cli-linux-x64 --help

ERROR BUILD:WEB failed {"exitCode":1,"stdout":"\n> @coder/web@ build /home/code-server/packages/web\n> ../../node_modules/.bin/cross-env UV_THREADPOOL_SIZE=100 node --max-old-space-size=32384 ../../node_modules/webpack/bin/webpack.js --config ./webpack.config.js\n\nHappy[ts]: Version: 5.0.1. Threads: 1\nHappy[ts]: All set; signaling webpack to proceed.\n","stderr":"npm WARN lifecycle The node binary used for scripts is /tmp/yarn--1562586803937-0.6531972737635816/node but npm is using /usr/bin/node itself. Use the --scripts-prepend-node-path option to include the path for the node binary npm was executed with.\nnpm ERR! code ELIFECYCLE\nnpm ERR! errno 1\nnpm ERR! @coder/web@ build: ../../node_modules/.bin/cross-env UV_THREADPOOL_SIZE=100 node --max-old-space-size=32384 ../../node_modules/webpack/bin/webpack.js --config ./webpack.config.js\nnpm ERR! Exit status 1\nnpm ERR! \nnpm ERR! Failed at the @coder/web@ build script.\nnpm ERR! This is probably not a problem with npm. There is likely additional logging output above.\n\nnpm ERR! A complete log of this run can be found in:\nnpm ERR! /root/.npm/_logs/2019-07-08T11_57_42_562Z-debug.log\n"}

@deansheather I'm getting this error on second step.

[abubakar-bilal]

@deansheather Can you please let me know about this issue. How can I complete this setup. Because on mac it's working fine. and build is getting created.

[deansheather]

@abubakar-bilal Please post a link to the log file at the end of the error message as a gist. The log doesn't really tell me much except that it exited early.

Make sure the node version installed is 10.15.1, and the node version yarn is using is the same one (apparently yarn is using a different instance of node). Try running the yarn commands with --scripts-prepend-node-path.

[abubakar-bilal]

Here is the gist link attached of log file.
https://gist.github.com/abubakar-bilal/15e415d5388f0540e198bec1ac8d638e

[deansheather]

Try again with node 10.15.1 and with the --scripts-prepend-node-path on the yarn commands.

[abubakar-bilal]

I updated node to 10.16.0 and again tried with scripts prepend added. Now that npm node warning went away. But still it gives error. Here is the gist of attached log file https://gist.github.com/abubakar-bilal/db47a5354e6e7c03abae04e401ee7b6c

[code-asher]

v2 has changed quite a bit surrounding all this so I'm uncertain how much if any still applies. I suppose for now I'll close this since it references v1 and if there are reverse proxy issues in v2 I'd love to hear them (either here or a new issue).

[datsabk]

@code-asher Having the same issue with v2 as well. I saw that you tried to do some patching for the same. Has it been pushed and is it working?

[code-asher]

It should be working; I do most of my testing through a reverse proxy. If you're hosting at a subpath and using the login page then make sure you've set the `--base-path` flag so code-server can redirect to properly.

[jiayiliu]

The flag is not in the latest release yet. I got the error below
error Unknown option --base-path=/vscode

version info.
code-server 3.11.1 c680aae

It should be working; I do most of my testing through a reverse proxy. If you're hosting at a subpath and using the login page then make sure you've set the --base-path flag so code-server can redirect to properly.

[code-asher]

--base-path was removed, actually. code-server should work behind a base path even without this flag.