Code-server: 127.0.0.1 by default vs 0.0.0.0

Created on 5 Apr 2019  路  9Comments  路  Source: cdr/code-server
  • code-server version: v1.604-vsc1.32.0
  • OS Version: macOS 10.14.4 (18E226)

Description

It has been discussed that using 127.0.0.1 might be better than using 0.0.0.0 for the default host for security reasons when running code-server. A user should have to explicitly set 0.0.0.0 as the host if they want to use it with the -h flag

Steps to Reproduce

  1. Start code server INFO Starting webserver... {"host":"0.0.0.0","port":8443}
picture nol166

Most helpful comment

Yea I agree it would be a bad idea to change the behaviour. I guess what we really want is to listen on localhost if the --no-auth or --allow-http flags are passed as at that point listening on 0.0.0.0 is potentially insecure.

picture nhooyr on 5 Apr 2019
👍2

All 9 comments

@nol166 is there any record of this discussion that you can link to this issue?

MichaelDesantis picture MichaelDesantis on 5 Apr 2019

@nhooyr Discussed it this morning and asked me to make this issue

https://superuser.com/questions/949428/whats-the-difference-between-127-0-0-1-and-0-0-0-0

nol166 picture nol166 on 5 Apr 2019
👍1

I think the overwhelming use case of code-server would be to access it over the internet, not from the same machine. If this is a security issue why not just remove the --no-auth flag from the docker one-liner?

coadler picture coadler on 5 Apr 2019
👍2

I think a better solution would be to just add a warning. Changing the default behavior would most likely break a lot of scripts/deployments

coadler picture coadler on 5 Apr 2019
👍1

@coadler That might be a better solution if it will screw up deployments. Thoughts @nhooyr?

nol166 picture nol166 on 5 Apr 2019

Yea I agree it would be a bad idea to change the behaviour. I guess what we really want is to listen on localhost if the --no-auth or --allow-http flags are passed as at that point listening on 0.0.0.0 is potentially insecure.

nhooyr picture nhooyr on 5 Apr 2019
👍2

That seems sensible to me. I could see this affecting people behind reverse proxies that handle auth/tls upstream though, so we should be sure to document the change on the next release

coadler picture coadler on 5 Apr 2019

updated the pr

nol166 picture nol166 on 5 Apr 2019

PR is here for people from the future following this thread https://github.com/codercom/code-server/pull/441

MichaelDesantis picture MichaelDesantis on 5 Apr 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rcarmo picture rcarmo  路  3Comments
broady picture broady  路  3Comments
pchecinski picture pchecinski  路  3Comments
sa7mon picture sa7mon  路  3Comments
RealSlimMahdi picture RealSlimMahdi  路  3Comments