search

gitpod-io / openvscode-server

Run upstream VS Code on a remote machine with access through a modern web browser from any device, anywhere.
https://www.gitpod.io/
MIT License
5k stars 432 forks source link

Add guidelines for setting up server with https behind proxy #163

Open bhavitsharma opened 2 years ago

bhavitsharma commented 2 years ago

Currently the openvscode-server serves request via http. Its implications are that some extensions like git-graph, jupyter, markdown-enhanced-preview, vim (clipboard copy/paste) don't work. I appreciate the gitpod's team concern to make minimal changes to the VSCode src so it'll be great if we can instead provide some high level guidelines on how to run openvscode with https behind some proxy (like nginx, caddy, etc). We essentially want to enable web-sockets in the reverse proxy configuration.

Filing this FR based on this discussion

megamorf commented 2 years ago

@bhavitsharma Which functions in git-graph do not work? I finished setting up the system as docker-compose stack with Caddy as TLS terminating reverse proxy and at first glance git-graph seems to work: image

megamorf commented 2 years ago

@akosyakov recommended Caddy. Here's my setup so you should be able to easily replicate it:

Folder structure:

├── caddy
│   └── Caddyfile
├── certs
│   ├── docker.localhost.crt
│   └── docker.localhost.key
├── docker-compose.yml
├── out
│   ├── DevCA.crl
│   ├── DevCA.crt
│   ├── DevCA.key
│   ├── docker.localhost.crt
│   ├── docker.localhost.csr
│   └── docker.localhost.key
├── README.md
└── workspace

Install certstrap and generate a root and web server certificate:

certstrap init --common-name "DevCA"
certstrap request-cert --common-name docker.localhost --domain '*.docker.localhost','localhost','*.localhost'
certstrap sign docker.localhost --CA DevCA

Copy the webserver cert and key to the certs directory: cp ./out/docker.localhost.{crt,key} ./certs/

Here are the file contents:

./caddy/Caddyfile

openvscode-server.docker.localhost

tls /certs/docker.localhost.crt /certs/docker.localhost.key

log

reverse_proxy vscode:3000

docker-compose.yml

version: '3.7'

services:
  caddy:
    image: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - ./certs:/certs:ro
      - caddy_data:/data
      - caddy_config:/config

  vscode:
    image: gitpod/openvscode-server
    restart: unless-stopped
    init: true
    expose:
      - 3000
    volumes:
      - "./workspace:/home/workspace:cached"

volumes:
  caddy_data:
  caddy_config:

Finally, add the CA certificate to the system's trusted CAs (Ubuntu example):

sudo mkdir -p /usr/local/share/ca-certificates/extra
sudo cp out/DevCA.crt /usr/local/share/ca-certificates/extra/
sudo update-ca-certificates

Oh and don't forget to add the hostname to your hosts file.

Depending on your OS/browser you might have to import the CA cert into the browser's/OS' CA certificate store and trust it for the webserver context. If you've done everything correctly you should see the trusted certificate in your browser:

image image

bhavitsharma commented 2 years ago

Thank you so much. I was able to setup everything behind a proxy using caddy. Thanks again! I am happy to contribute with some documentation. Let me try to work on it this weekend :)

davidxia commented 1 year ago

@megamorf thanks so much for that!

@bhavitsharma did you ever get around to contributing docs for this?

drupol commented 1 year ago

I'm doing less or more the same for running OpenVSCode Server on NixOS (https://github.com/drupol/nixos-x260/blob/master/hosts/nixos/code.nix).

However, I haven't found a way to display PDFs in it, apparently, we need to do SSH tunnels.

Have you found a better way to achieve that? If yes, how do you do?

coder/code-server does it without troubles, why is this not possible with openvscode-server ?