openvscode-server
openvscode-server copied to clipboard
gitpod-io
Guides do not include token required to reach server
Does this issue occur when all extensions are disabled?: Yes
- VS Code Version: 1.63.0
- OS Version:
Steps to Reproduce:
- Follow the guide https://github.com/gitpod-io/openvscode-server/tree/docs/guides/aws-ec2
- You get the response "forbidden" when you visit the EC2 instance's url because the server generates a unique token that you need to put in the url.
Question: How can I programmatically extract the token generated by the server so I can use vs code on my EC2 instance correctly?
Hey there, @chuck-confluent! It is correct that you need to put a security token when you visit your OpenVSCode Server port.
You unfortunately cannot extract the code programmatically, but you can set it manually (see https://github.com/gitpod-io/openvscode-server#a-note-about-security-tokens for more details), or just copy it from the output of running ./server.sh
Thanks! I think for the guide, it would be most appropriate to set a manual token
@chuck-confluent I would say it's a good idea to have a mention of security tokens in each guide, but to by default tell users to change it to whatever they want is IMO a bad idea, strongly decreasing the complexity and therefore strength of the tokens.
That makes sense. I was doing this with terraform (so no interactive terminal on the instance), so there was no way for me to do it other than provide my own manual token. But looking back at the guide, it assumes an interactive shell with the instance, so you would be able to see the randomly generated token. 👍
I've an idea.... put a nginx or caddy before as reverse proxy and add corresponding header. I'm searching for the header name now.
Hi,
I have a working solution, i add an nginx as a sidecar reverse proxy (i use docker, so adapt the resolver address if necessary.
VSCode create a cookie called vscode-tkn after it get the real tkn as get parameter (http://vscode:3000?tkn=7098a127-de76-4d3c-9e23-3530bd99e207).
I tried to just add a cookie every time. Not working, it's commented in the following conf.
After few tries and analyses, i've a working solution : I add a condition, if cookie is not set, it add an argument to the proxy pass... vscode reveived it and create a cookie and it work fine if tkn is not defined in the first initial query.
user nginx;
worker_processes 16;
events {
worker_connections 512;
}
http {
gzip off;
resolver 127.0.0.11;
access_log off;
error_log stderr;
upstream upstream_vscode {
server vscode:3000;
}
server {
server_name _;
listen 3000;
client_max_body_size 0;
ignore_invalid_headers off;
location / {
# add_header Set-Cookie "vscode-tkn=7098a127-de76-4d3c-9e23-3530bd99e207; Path=/; Max-Age=31536000";
if ($cookie_vscode-tkn != "7098a127-de76-4d3c-9e23-3530bd99e207") {
set $args "tkn=7098a127-de76-4d3c-9e23-3530bd99e207";
}
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://upstream_vscode;
}
}
}
Hi, everybody This is working solution for anybody using docker-compose As for me I using nginx as front, proxying to exposed default 3000 port also.
vsc-server:
container_name: vsc-server
image: gitpod/openvscode-server
restart: always
volumes:
- ./data/vsc-server/workspace:/home/workspace
- /etc/localtime:/etc/localtime:ro
user: '1000:1000'
entrypoint: [ "/bin/sh", "-c", "exec /home/.openvscode-server/bin/openvscode-server --host 0.0.0.0 --connection-token your_secret", "--" ]
Then you can use link: http://your_server?tkn=your_secret
