Coder addon with LetsEncrypt on Ubuntu server

[acondura]

I've just finished creating an addon named 'coder' which uses a fork of https://github.com/cdr/code-server and because I'm using a wildcard SSL from LetsEncrypt on a Ubuntu server, I use URLs like ide-project1.domain.com, ide-project2.domain.com, etc.

After going through the Docksal docs for a few days now, I ran out of options to test and make http://ide-project1.domain.com go to HTTPS://ide-project1.domain.com. I looked at https://docs.docksal.io/service/web/settings/ and applied those settings but it just would not work.

HTTPS://ide-project1.domain.com does work but it does not force http to https. Any idea why?

fin config:

---------------------
COMPOSE_PROJECT_NAME_SAFE: joccom
COMPOSE_FILE:
/home/joccom/.docksal/stacks/volumes-bind.yml
/home/joccom/.docksal/stacks/stack-acquia.yml
/home/joccom/project/joccom/.docksal/docksal.yml
ENV_FILE:
/home/joccom/project/joccom/.docksal/docksal.env
/home/joccom/project/joccom/.docksal/docksal-local.env

PROJECT_ROOT: /home/joccom/project/joccom
DOCROOT: docroot
VIRTUAL_HOST: joccom.opncld.com
VIRTUAL_HOST_ALIASES: *.joccom.opncld.com
IP: 192.168.64.100
MYSQL: 192.168.64.100:32771

Docker Compose configuration
---------------------
services:
  cli:
    dns:
    - 192.168.64.100
    - 8.8.8.8
    environment:
      BLACKFIRE_CLIENT_ID: null
      BLACKFIRE_CLIENT_TOKEN: null
      DOCROOT: docroot
      DRUSH_ALLOW_XDEBUG: '0'
      GIT_USER_EMAIL: andrei@condurachi.ro
      GIT_USER_NAME: Andrei Condurachi
      HOST_GID: '1001'
      HOST_UID: '1001'
      PHP_IDE_CONFIG: serverName=joccom.opncld.com
      SECRET_ACAPI_EMAIL: andre*****hi.ro
      SECRET_ACAPI_KEY: zwjBt*****KjSAB
      SECRET_PLATFORMSH_CLI_TOKEN: null
      SECRET_SSH_PRIVATE_KEY: null
      SECRET_TERMINUS_TOKEN: null
      VIRTUAL_HOST: joccom.opncld.com
      XDEBUG_CONFIG: remote_connect_back=0 remote_host=192.168.64.1
      XDEBUG_ENABLED: '0'
    hostname: cli
    image: docksal/cli:php7.1
    volumes:
    - docksal_ssh_agent:/.ssh-agent:ro
    - cli_home:/home/docker:rw
    - project_root:/var/www:rw,nocopy
  coder:
    command: code-server --cert /home/coder/certs/ide-joccom.opncld.com.crt --cert-key
      /home/coder/certs/ide-joccom.opncld.com.key --allow-http -e /home/coder/.local/share/code-server/extensions
    hostname: ide-joccom
    image: acondura/code-server
    labels:
      io.docksal.virtual-host: ide-joccom.opncld.com
    user: 1000:1000
    volumes:
    - /home/joccom/.ssh:/home/coder/.ssh:rw
    - /home/joccom/.docksal/certs:/home/coder/certs:rw
    - /home/joccom/project/joccom:/home/coder/project:rw
  db:
    dns:
    - 192.168.64.100
    - 8.8.8.8
    environment:
      MYSQL_ALLOW_EMPTY_PASSWORD: null
      MYSQL_DATABASE: default
      MYSQL_INITDB_SKIP_TZINFO: null
      MYSQL_ONETIME_PASSWORD: null
      MYSQL_PASSWORD: user
      MYSQL_RANDOM_ROOT_PASSWORD: null
      MYSQL_ROOT_PASSWORD: root
      MYSQL_USER: user
    hostname: db
    image: docksal/mysql:5.6-1.4
    ports:
    - 0:3306/tcp
    volumes:
    - db_data:/var/lib/mysql:rw
    - project_root:/var/www:ro,nocopy
  memcached:
    command:
    - -m
    - '128'
    dns:
    - 192.168.64.100
    - 8.8.8.8
    hostname: memcached
    image: memcached:1.4-alpine
  solr:
    dns:
    - 192.168.64.100
    - 8.8.8.8
    hostname: solr
    image: docksal/solr:1.0-solr4
    labels:
      io.docksal.cert-name: none
      io.docksal.virtual-host: solr.joccom.opncld.com,solr.joccom.opncld.com.*
      io.docksal.virtual-port: '8983'
    volumes:
    - project_root:/var/www:ro,nocopy
  varnish:
    depends_on:
      web:
        condition: service_started
    dns:
    - 192.168.64.100
    - 8.8.8.8
    environment:
      VARNISH_BACKEND_HOST: web
    hostname: varnish
    image: docksal/varnish:4.1-2.0
    labels:
      io.docksal.cert-name: none
      io.docksal.virtual-host: varnish.joccom.opncld.com,varnish.joccom.opncld.com.*
    volumes:
    - project_root:/var/www:ro,nocopy
  web:
    depends_on:
      cli:
        condition: service_started
    dns:
    - 192.168.64.100
    - 8.8.8.8
    environment:
      APACHE_BASIC_AUTH_PASS: null
      APACHE_BASIC_AUTH_USER: null
      APACHE_DOCUMENTROOT: /var/www/docroot
      APACHE_FCGI_HOST_PORT: cli:9000
    hostname: web
    image: docksal/apache:2.4-2.3
    labels:
      io.docksal.cert-name: none
      io.docksal.permanent: "true"
      io.docksal.project-root: /home/joccom/project/joccom
      io.docksal.virtual-host: joccom.opncld.com,*.joccom.opncld.com,joccom.opncld.com.*
    volumes:
    - project_root:/var/www:ro,nocopy
version: '2.1'
volumes:
  cli_home: {}
  db_data: {}
  docksal_ssh_agent:
    external: true
    name: docksal_ssh_agent
  project_root:
    driver: local
    driver_opts:
      device: /home/joccom/project/joccom
      o: bind
      type: none

---------------------

[lmakarov]

I've just finished creating an addon named 'coder' which uses a fork of https://github.com/cdr/code-server

@acondura that sounds great! We actually have a PR open to replace Cloud9 integration in docksal/cli with VS Code. If we can make it work as an addon instead, that would be even better.

Regarding HTTPS enforcement. Docksal does not currently provide any built-in means for that, leaving it to the application or web server configuration. As coder runs its own server, you can check if it can do the redirect and enforce HTTPS.

If that does not work out, then HTTPS enforcement will need to be handled at the vhost-proxy level. You can submit a feature request in https://github.com/docksal/service-vhost-proxy.

[acondura]

Yes, I know about the PR, I keep looking through the Docksal issue queue from time to time to see what "goodies" might come up in future versions :) and before I saw that PR I was actually looking into implementing https://icecoder.net as an addon. Funny thing is I was already using VSCode on my mac and I was thinking "wouldn't it be cool if VSCode was up on a server".

I already have the addon working on two of my clients for developers to work with and I'm sorting out a few more details this week and maybe next week I can publish it as a Docksal addon.

[acondura]

Also, another issue that I saw the need for before I even saw your PR was "Automatic Drupal settings configuration" https://github.com/docksal/docksal/issues/1030. I've recently started working it since it's a crucial thing with Drupal clients and I'll share more info soon.

The other thing that needs to change with Docksal addons is that these run as subdomains instead of e.g. pma-project.docksal, which is not efficient when it comes to SSL LE wildcard certs. Since the limit of certificates per registered domain is 50 per week, this can be easily reached with a team of developers working on a server. I'd be interested in helping here too.

[lmakarov]

Yep, agree on the subdomain issue and certs. It's easily solvable by using a flat domain schema and replacing dots with hyphens or double-hyphens (e.g., pma--project.docksal).

[acondura]

Coder is an executable running in a container, I'm using this approach https://github.com/cdr/code-server/blob/master/doc/admin/install/digitalocean.md.

The thing is I'm able to load the coder UI both by http://ide-subdomain.tld.com and by https://ide-subdomain.tld.com, they both work great. I'm just having trouble redirecting http to https.

I've tried every combination I could think of from https://docs.docksal.io/service/web/settings and it just does not react, no redirection from http to HTTPS.

[lmakarov]

I've tried every combination I could think of from https://docs.docksal.io/service/web/settings and it just does not react, no redirection from http to HTTPS.

Those docs are for the web container. Changing the web server configuration will have no effect here, since you have coder running in a separate container.

The routing is handled by the system-wide docksal-vhost-proxy service, which currently does not support HTTPS enforcement flag and redirect. You can submit a feature request in https://github.com/docksal/service-vhost-proxy.

[acondura]

Got it, thank you Leonid.

I'm almost ready to publish the 'coder' addon which uses a custom Dockerfile and I'm going through https://docs.docksal.io/stack/extend-images/#maintain-image. Let me know if I'm missing anything in the process of publishing the 'coder' addon.

[acondura]

Oh right, almost forgot. I created https://github.com/docksal/service-vhost-proxy/issues/50 as you said.

[acondura]

I'm trying to create a pull request for the Coder addon but when I click the 'New pull request' button over at https://github.com/docksal/addons/pulls the 'Create pull request' button on the next page is disabled. My user is https://github.com/acondura, do I need some permissions for this?

[shelane]

To submit a PR, you need to fork this repo and create a branch. You will then be able to create a PR from your fork.

[acondura]

Great, thank you @shelane. I've added a pull request for 'Coder addon' at https://github.com/docksal/addons/pull/47.

[lmakarov]

Closing. See discussion in https://github.com/docksal/addons/pull/47. Coder is now pre-installaed in docksal/cli.