openvscode-server
openvscode-server copied to clipboard
gitpod-io
Add guidelines for setting up server with https behind proxy
Currently the openvscode-server serves request via http. Its implications are that some extensions like git-graph, jupyter, markdown-enhanced-preview, vim (clipboard copy/paste) don't work. I appreciate the gitpod's team concern to make minimal changes to the VSCode src so it'll be great if we can instead provide some high level guidelines on how to run openvscode with https behind some proxy (like nginx, caddy, etc). We essentially want to enable web-sockets in the reverse proxy configuration.
Filing this FR based on this discussion
@bhavitsharma Which functions in git-graph do not work? I finished setting up the system as docker-compose stack with Caddy as TLS terminating reverse proxy and at first glance git-graph seems to work:
@akosyakov recommended Caddy. Here's my setup so you should be able to easily replicate it:
Folder structure:
├── caddy
│ └── Caddyfile
├── certs
│ ├── docker.localhost.crt
│ └── docker.localhost.key
├── docker-compose.yml
├── out
│ ├── DevCA.crl
│ ├── DevCA.crt
│ ├── DevCA.key
│ ├── docker.localhost.crt
│ ├── docker.localhost.csr
│ └── docker.localhost.key
├── README.md
└── workspace
Install certstrap and generate a root and web server certificate:
certstrap init --common-name "DevCA"
certstrap request-cert --common-name docker.localhost --domain '*.docker.localhost','localhost','*.localhost'
certstrap sign docker.localhost --CA DevCA
Copy the webserver cert and key to the certs directory: cp ./out/docker.localhost.{crt,key} ./certs/
Here are the file contents:
./caddy/Caddyfile
openvscode-server.docker.localhost
tls /certs/docker.localhost.crt /certs/docker.localhost.key
log
reverse_proxy vscode:3000
docker-compose.yml
version: '3.7'
services:
caddy:
image: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
- ./certs:/certs:ro
- caddy_data:/data
- caddy_config:/config
vscode:
image: gitpod/openvscode-server
restart: unless-stopped
init: true
expose:
- 3000
volumes:
- "./workspace:/home/workspace:cached"
volumes:
caddy_data:
caddy_config:
Finally, add the CA certificate to the system's trusted CAs (Ubuntu example):
sudo mkdir -p /usr/local/share/ca-certificates/extra
sudo cp out/DevCA.crt /usr/local/share/ca-certificates/extra/
sudo update-ca-certificates
Oh and don't forget to add the hostname to your hosts file.
Depending on your OS/browser you might have to import the CA cert into the browser's/OS' CA certificate store and trust it for the webserver context. If you've done everything correctly you should see the trusted certificate in your browser:
Thank you so much. I was able to setup everything behind a proxy using caddy. Thanks again! I am happy to contribute with some documentation. Let me try to work on it this weekend :)
@megamorf thanks so much for that!
@bhavitsharma did you ever get around to contributing docs for this?
I'm doing less or more the same for running OpenVSCode Server on NixOS (https://github.com/drupol/nixos-x260/blob/master/hosts/nixos/code.nix).
However, I haven't found a way to display PDFs in it, apparently, we need to do SSH tunnels.
Have you found a better way to achieve that? If yes, how do you do?
coder/code-server does it without troubles, why is this not possible with openvscode-server ?
