code-server behind apache proxy

[jonpetersathan]

Description

I can't figure out the correct apache config in order to proxy https and wss requests correctly. My apache config looks something like this:

<VirtualHost *:443>
    ServerName code.mydomain.net

    ProxyRequests off
    ProxyPreserveHost on
    AllowEncodedSlashes NoDecode

    RequestHeader set X-Forwarded-Proto https
    RequestHeader set X-Forwarded-Port 443

    ProxyPass / http://code.code:8080/ nocanon
    ProxyPassReverse / http://code.code:8080/

    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

My problem is now, that this configuration blocks all websocket requests. In order to also proxy websocket connections I would need to add something like this to my apache config:

    ProxyPass / ws://code.code:8080/
    ProxyPassReverse / http://code.code:8080/

The problem with this is, that this will not work with the same url path like the https proxy statements (https://code.mydomain.net/ and wss://code.mydomain.net/). Usually the websocket connection would be handled by a different path (eg.: wss://code.mydomain.net/websocket/).
So my question is: Is there any way to achieve this with code-server and apache?

[NGTmeaty]

I don't know a ton of Apache so I may not be too helpful here, but this is the working NGINX config.

[Foxtur]

I've those rules after the ServerName definition and it seem's to do the job.

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*)           ws://127.0.0.1:3000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*)           http://127.0.0.1:3000/$1 [P,L]

[jonpetersathan]

@Foxtur Yes, that worked! Thanks!

[NGTmeaty]

Could we possibly get a PR to update the docs with Apache instructions?

[waclaw66]

I've those rules after the ServerName definition and it seem's to do the job.

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*)           ws://127.0.0.1:3000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*)           http://127.0.0.1:3000/$1 [P,L]

This stopped working for V2, do you know how to fix it?
Thanks.

[JtMotoX]

This stopped working for V2, do you know how to fix it?
Thanks.

@waclaw66 For V2 try changing the port from 3000 to the port that code-server runs on (in my case 8443).

Mine looks like this and it works for me:

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           wss://127.0.0.1:8443/$1 [P,L]
    SSLProxyEngine on
    ProxyPreserveHost on
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    ProxyPass / https://127.0.0.1:8443/
    ProxyPassReverse / https://127.0.0.1:8443/

Also FYI make sure you have the required modules enabled:

apachectl -M | grep proxy
 proxy_module (shared)
 proxy_http_module (shared)
 proxy_wstunnel_module (shared)

[waclaw66]

@JtMotoX thanks for your answer, but the original settings works again in the latest version of code-server. I just forgot to update it here.

[amitkhare]

Hi, Can someone please share whole .conf file. having hard time setting up. Thanks.

/etc/apache2/sites-available/vscode.mydomain.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName vscode.mydomain.com

    <Location "/">
        ProxyPreserveHost On
        ProxyPass http://127.0.0.1:8080/
        ProxyPassReverse http://172.0.0.1:8080/

    </Location>


SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

/etc/systemd/system/code-server.service

[Unit]
Description=code-server
After=apache2.service

[Service]
User=root
WorkingDirectory=/var/www/
Environment=PASSWORD=SUPERPASSWORD
ExecStart=/root/bin/code-server --host 127.0.0.1 --port 8080--user-data-dir /root/data --auth password
Restart=always
[Install]
WantedBy=multi-user.target

[JtMotoX]

Hi, Can someone please share whole .conf file. having hard time setting up. Thanks.

@amitkhare, I didn't post my entire config because mine is slightly more complicated than most. I will post it here since you asked. Hope it helps.

---

My Setup:

• Apache Reverse Proxy (DMZ Server)
  • Nginx Reverse Proxy (Macbook Docker Container)
    • Code-Server (Macbook)

---

Apache Reverse Proxy (condensed):

<VirtualHost *:80>
    ServerName code.mysite.com
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well-known
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
    DocumentRoot /var/www/dummy/public_html
</VirtualHost>
<VirtualHost *:443>
    SSLEngine on
    SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
    SSLCertificateFile /etc/letsencrypt/live/mysite.com/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/mysite.com/chain.pem
    ServerAdmin me@mysite.com
    DocumentRoot /var/www/dummy/public_html
    ServerName code.mysite.com
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*)           wss://10.249.98.11/$1 [P,L]
    Header set X-Frame-Options ALLOWALL
    SSLProxyEngine on
    ProxyPreserveHost on
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    ProxyPass / https://10.249.98.11/
    ProxyPassReverse / https://10.249.98.11/
</VirtualHost>

Nginx Reverse Proxy (condensed) (running on my macbook):

server {
    listen      443 ssl;
    listen      [::]:443 ssl;
    server_name  mymacbookfqdn;
    ssl_certificate /etc/ssl/code-server-cert/server.crt;
    ssl_certificate_key /etc/ssl/code-server-cert/server.key;

    root /var/www/code-server;
    index index.php index.html index.htm;

    # SETUP PROXY HEADERS
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # AUTHENTICATION URL PATH FOR LOGIN AND LOGOUT
    location ~ ^/authentication {
        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass php:9000;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param REMOTE_ADDR2 $remote_addr;
        }
    }

    # REDIRECT LOGOUT URI TO LOGOUT FILE
    location ~ ^/logout {
        return 307 $scheme://$host/authentication/logout.php;
    }

    # TURN THIS ON FOR DEBUGGING
    # rewrite_log on;
    # error_log /var/log/nginx/error.log notice;

    # REDIRECT FAVICON TO MY CUSTOM FAVICON
    rewrite ^\/(?!favicon).*favicon.ico$ /favicon.ico redirect;

    # USER NAVIGATES TO ANY URI
    location / {
        # CHECK AUTHENTICATION
        if ($cookie_authentication != "SomeLongRandomGeneratedString") {
            proxy_pass $scheme://$host/authentication/login.php;
        }

        # TRY TO SERVE THEM LOCAL FILE. IF NOT EXIST THEN SEND THEM THROUGH PROXY
        try_files $uri @proxy;
    }

    # USE GATEWAY AS RESOLVER INSTEAD OF VPN
    resolver 10.249.98.1;

    # CODE-SERVER
    location @proxy {
        proxy_pass  https://10.249.98.11:8443;
    }
}

[cheoalfredo]

I don't know a ton of Apache so I may not be too helpful here, but this is the working NGINX config.

@NGTmeaty sorry bro, this file is missing, do you have an updated link ?