Code-server: How to run code-server with HTTPS by a low privilege user?

I don't think this has something to deal with privilege access but something with the internals. I recommend trying a reverse proxy for doing SSL instead in the near future.

@sr229 Thank you for your answer. That sounds good.
However, I tried nginx reverse proxy, but it didn't work. Is it already supported?

What worked for me (using apache2)
code-server is running on localhost:6666
```

ServerName example.com

    #proxing breaks login for some reason -> do login via http and apache
<Location />    
  AuthType Basic
      AuthName "Login"
      AuthUserFile xxxxxx
      Require valid-user
</Location>

ErrorLog ${APACHE_LOG_DIR}/code_error.log
CustomLog ${APACHE_LOG_DIR}/code_access.log combined

RewriteEngine On
ProxyRequests On
ProxyVia On
# Proxy Traffic
RewriteCond %{HTTP:Upgrade} =websocket
    RewriteRule /(.*)           ws://localhost:6666/$1 [P,L]
    RewriteCond %{HTTP:Upgrade} !=websocket
    RewriteRule /(.*)           http://localhost:6666/$1 [P,L]

    #SSL certificate (letsencrypt)
    SSLCertificateFile /etc/letsencrypt/xxxxxx
SSLCertificateKeyFile /etc/letsencrypt/xxxxxx
Include /etc/letsencrypt/options-ssl-apache.conf

What worked for me (using apache2)
code-server is running on localhost:6666

<VirtualHost *:443>
  ServerName example.com

        #proxing breaks login for some reason -> do login via http and apache
  <Location />    
    AuthType Basic
          AuthName "Login"
          AuthUserFile xxxxxx
          Require valid-user
  </Location>

  ErrorLog ${APACHE_LOG_DIR}/code_error.log
  CustomLog ${APACHE_LOG_DIR}/code_access.log combined

  RewriteEngine On
  ProxyRequests On
  ProxyVia On
  # Proxy Traffic
  RewriteCond %{HTTP:Upgrade} =websocket
        RewriteRule /(.*)           ws://localhost:6666/$1 [P,L]
        RewriteCond %{HTTP:Upgrade} !=websocket
        RewriteRule /(.*)           http://localhost:6666/$1 [P,L]

        #SSL certificate (letsencrypt)
        SSLCertificateFile /etc/letsencrypt/xxxxxx
  SSLCertificateKeyFile /etc/letsencrypt/xxxxxx
  Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

@sr229 This knowledge should be addded to README.md, if it's not already added somewher, or any other doc :)

It already is

@TheHllm Thank you. But I'm using nginx. Do you know if it works via nginx?
client > nginx > Apache2 > code-server

@ttfan240

It already is

rtfm

@TheHllm OK, I'll try myself later.
(Before writing this issue, I had already tried the manual for nginx alone and looked for other issues. Eventually I found that the error was postponed.)

Thanks, I resolved. Now I can use nginx reverse proxy.
I use the following. I added proxy_redirect. (To disable buffering may not be proper.)

server {
    listen 80;
    listen 443 ssl;
    server_name  code.example.com;

    ssl_certificate      /etc/letsencrypt/live/code.example.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/code.example.com/privkey.pem;

    location /code/ {
        proxy_set_header Host            $host;
        proxy_set_header Upgrade         $http_upgrade;
        proxy_set_header Connection      upgrade;
        proxy_set_header Accept-Encoding gzip;

        proxy_redirect http://$host https://$host/code;

        proxy_buffering off;

        proxy_pass http://localhost:55555/;
    }
}

I'm grateful for this project, so I summarize below what I tried and what happened. (I think It may be helpful.)
But unfortunately, I'm not a native English speaker. There may be something strange.

Circumstances
I want to use code-server on iPad, but it doesn't work with basic authentication. (# 89)
So I decided to use the built-in password authentication.
When I prepared a dedicated domain and tried executing it at the root path, it worked as expected.
However, even if I moved it to a sub-path, it redirected requests to the path without the base-path. (not found)
As written in # 857 about this problem, when I specified --base-path option, it redirects correctly. But when I ran code-server without specifying a certificate, it redirected with HTTP (# 1233).
Besides, when I specified a certificate, it redirected with HTTPS, but it didn't work with a low-privilege user (I wrote on the top of this issue). And I agreed that it is better to run with HTTP and proxy with nginx.
Although it is possible to redirect HTTP requests to HTTPS, I think it is more efficient to rewrite the redirect destination with proxy_redirect, because it avoids additional redirecting once. Also, I don't need to specify the --base-path option, so I can prevent the base-path settings from being scattered in some files.

See #1331

Sorry, I have deviated from the main subject.

So, I have the same issue. When I run coder with my normal user with valid letsencrypt certs I will get a blank page after password prompt.

code-server --host 0.0.0.0 --cert /etc/letsencrypt/live/MYDOMAIN/fullchain.pem --cert-key /etc/letsencrypt/live/MYDOMAIN/privk ey.pem --auth password

If I run coder with sudo everything works fine.

sudo code-server --host 0.0.0.0 --cert /etc/letsencrypt/live/MYDOMAIN/fullchain.pem --cert-key /etc/letsencrypt/live/MYDOMAIN/privk ey.pem --auth password

Is using a reverse HTTPS proxy recommended? I couldn´t find any kind of documentation about this behaviour. From the output of code-server -h It looks like passing the paths to the certs directly is acceptable.

sr229 replied that

I don't think this has something to deal with privilege access but something with the internals. I recommend trying a reverse proxy for doing SSL instead in the near future.

I interpreted this reply as recommending reverse proxying over HTTP. I consider that it has no security problems if it is proxied to localhost.