code-server behind apache proxy

Created on 18 Mar 2019 · 10Comments · Source: cdr/code-server

Description

I can't figure out the correct apache config in order to proxy https and wss requests correctly. My apache config looks something like this:

<VirtualHost *:443>
    ServerName code.mydomain.net

    ProxyRequests off
    ProxyPreserveHost on
    AllowEncodedSlashes NoDecode

    RequestHeader set X-Forwarded-Proto https
    RequestHeader set X-Forwarded-Port 443

    ProxyPass / http://code.code:8080/ nocanon
    ProxyPassReverse / http://code.code:8080/

    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

My problem is now, that this configuration blocks all websocket requests. In order to also proxy websocket connections I would need to add something like this to my apache config:

    ProxyPass / ws://code.code:8080/
    ProxyPassReverse / http://code.code:8080/

The problem with this is, that this will not work with the same url path like the https proxy statements (https://code.mydomain.net/ and wss://code.mydomain.net/). Usually the websocket connection would be handled by a different path (eg.: wss://code.mydomain.net/websocket/).
So my question is: Is there any way to achieve this with code-server and apache?

question

Source

BBJip

Most helpful comment

I've those rules after the ServerName definition and it seem's to do the job.

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*)           ws://127.0.0.1:3000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*)           http://127.0.0.1:3000/$1 [P,L]

Foxtur on 19 Mar 2019

👍3

All 10 comments

I don't know a ton of Apache so I may not be too helpful here, but this is the working NGINX config.

NGTmeaty on 18 Mar 2019

I've those rules after the ServerName definition and it seem's to do the job.

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*)           ws://127.0.0.1:3000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*)           http://127.0.0.1:3000/$1 [P,L]

Foxtur on 19 Mar 2019

👍3

@Foxtur Yes, that worked! Thanks!

BBJip on 19 Mar 2019

Could we possibly get a PR to update the docs with Apache instructions?

NGTmeaty on 19 Mar 2019

👍1

I've those rules after the ServerName definition and it seem's to do the job.

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*)           ws://127.0.0.1:3000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*)           http://127.0.0.1:3000/$1 [P,L]

This stopped working for V2, do you know how to fix it?
Thanks.

waclaw66 on 11 Sep 2019

👍2

This stopped working for V2, do you know how to fix it?
Thanks.

@waclaw66 For V2 try changing the port from 3000 to the port that code-server runs on (in my case 8443).

Mine looks like this and it works for me:

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           wss://127.0.0.1:8443/$1 [P,L]
    SSLProxyEngine on
    ProxyPreserveHost on
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    ProxyPass / https://127.0.0.1:8443/
    ProxyPassReverse / https://127.0.0.1:8443/

Also FYI make sure you have the required modules enabled:

apachectl -M | grep proxy
 proxy_module (shared)
 proxy_http_module (shared)
 proxy_wstunnel_module (shared)

JtMotoX on 8 Nov 2019

👍1

@JtMotoX thanks for your answer, but the original settings works again in the latest version of code-server. I just forgot to update it here.

waclaw66 on 8 Nov 2019

👍1

Hi, Can someone please share whole .conf file. having hard time setting up. Thanks.

/etc/apache2/sites-available/vscode.mydomain.com-le-ssl.conf

````

ServerName vscode.mydomain.com

<Location "/">
    ProxyPreserveHost On
    ProxyPass http://127.0.0.1:8080/
    ProxyPassReverse http://172.0.0.1:8080/

</Location>

SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

````

/etc/systemd/system/code-server.service

````
[Unit]
Description=code-server
After=apache2.service

[Service]
User=root
WorkingDirectory=/var/www/
Environment=PASSWORD=SUPERPASSWORD
ExecStart=/root/bin/code-server --host 127.0.0.1 --port 8080--user-data-dir /root/data --auth password
Restart=always
[Install]
WantedBy=multi-user.target

````

amitkhare on 14 Mar 2020

Hi, Can someone please share whole .conf file. having hard time setting up. Thanks.

@amitkhare, I didn't post my entire config because mine is slightly more complicated than most. I will post it here since you asked. Hope it helps.

My Setup:

Apache Reverse Proxy (DMZ Server)
- Nginx Reverse Proxy (Macbook Docker Container)

- Code-Server (Macbook)

Apache Reverse Proxy (condensed):

<VirtualHost *:80>
    ServerName code.mysite.com
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well-known
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
    DocumentRoot /var/www/dummy/public_html
</VirtualHost>
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
    SSLCertificateFile /etc/letsencrypt/live/mysite.com/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/mysite.com/chain.pem
    ServerAdmin [email protected]
    DocumentRoot /var/www/dummy/public_html
    ServerName code.mysite.com
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           wss://10.249.98.11/$1 [P,L]
    Header set X-Frame-Options ALLOWALL
    SSLProxyEngine on
    ProxyPreserveHost on
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    ProxyPass / https://10.249.98.11/
    ProxyPassReverse / https://10.249.98.11/
</VirtualHost>

Nginx Reverse Proxy (condensed) (running on my macbook):

server {
    listen      443 ssl;
    listen      [::]:443 ssl;
    server_name  mymacbookfqdn;
    ssl_certificate /etc/ssl/code-server-cert/server.crt;
    ssl_certificate_key /etc/ssl/code-server-cert/server.key;

    root /var/www/code-server;
    index index.php index.html index.htm;

    # SETUP PROXY HEADERS
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # AUTHENTICATION URL PATH FOR LOGIN AND LOGOUT
    location ~ ^/authentication {
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass php:9000;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param REMOTE_ADDR2 $remote_addr;
        }
    }

    # REDIRECT LOGOUT URI TO LOGOUT FILE
    location ~ ^/logout {
        return 307 $scheme://$host/authentication/logout.php;
    }

    # TURN THIS ON FOR DEBUGGING
    # rewrite_log on;
    # error_log /var/log/nginx/error.log notice;

    # REDIRECT FAVICON TO MY CUSTOM FAVICON
    rewrite ^\/(?!favicon).*favicon.ico$ /favicon.ico redirect;

    # USER NAVIGATES TO ANY URI
    location / {
        # CHECK AUTHENTICATION
        if ($cookie_authentication != "SomeLongRandomGeneratedString") {
            proxy_pass $scheme://$host/authentication/login.php;
        }

        # TRY TO SERVE THEM LOCAL FILE. IF NOT EXIST THEN SEND THEM THROUGH PROXY
        try_files $uri @proxy;
    }

    # USE GATEWAY AS RESOLVER INSTEAD OF VPN
    resolver 10.249.98.1;

    # CODE-SERVER
    location @proxy {
        proxy_pass  https://10.249.98.11:8443;
    }
}

JtMotoX on 14 Mar 2020