Allow running behind proxy

[mering]

See #210399 for the motivation.

Commits:

• Serve from / and basePath
• Honor X-Forwarded-Prefix header
• Honor X-Forwarded-Port header

Test procedure:

• Compile via yarn compile
• Run scripts/code-server.sh
• Run an nginx proxy with the following config:

  server {
      listen 8080;
      listen [::]:8080;
  
      location /some/path/ {
          proxy_pass http://localhost:9888/;
          proxy_set_header Host $host;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $http_connection;
          proxy_set_header X-Forwarded-Host $host;
          proxy_set_header X-Forwarded-Port $server_port;
          proxy_set_header X-Forwarded-Prefix "/some/path";
      }
  }

• Access VSCode on http://localhost:8080/some/path

Fixes #210399, #225706

[jhgoebbert]

Any chance this small fix can be merged?

[mering]

Unfortunately, there doesn't seem to be a way to test this change as described in #221345:

I tried getting a testing environment on main branch:

• Running ./scripts/code-cli.sh serve-web
• First, I encountered Cargo missing #210454 when running in the Devcontainer.
• After manually installing Rust within the container, I only get error error getting latest version: Updates are are not available: no configured quality.

[dredwilliams]

This is a simple change that appears to address the issue without having any other impacts

[lost-in-dev-null]

An easy fix for an annoying issue. I see no reason why not to merge.

[aeschli]

When you start the server with server-base-path, that means that all the bits, including the main page are served from that path. If you want the server to be served from root ('/'), don't use that argument.

Why does the proxy forward the request to '/', but not '/server-base-path' ?

[darkdragon-001]

Why does the proxy forward the request to '/', but not '/server-base-path' ?

This is just the way how most proxies are configured for simplicity and often end-users can't control this.

The server base path is just needed as a prefix for absolute links, not for actually serving files from that path.

[darkdragon-001]

Trying to explain why most proxies use the explained approach:

For which use-case would one use a different base path? When one wants to serve multiple instances or different services on a single host or domain. How do you distribute traffic in this case? You run a proxy and forward requests based on some rules to other services usually differentiated by a different local port on the host. As each service instance is only serving one instance, there is no use of using a different base path there but absolute links need to contain the correct prefix such that they work correctly. This is why basically every service using absolute links is offering some way to specify the prefix used to construct the links.

[dredwilliams]

We are trying to integrate code into an existing application that proxies requests into the code server with the base-path intact ... not our choice. The expectation is that the code server will take the base-path into consideration when interpreting HTTP requests, and include that base-path on any referral links. I thought that was what the base-path parameter was for ...

[aeschli]

As mentioned, the idea of server-base-path is that the server serves the VS Code main page and all the resources the main requires from that path. With the PR it would no longer serve serves the VS Code main page from that path. That seems wrong.
At the very least it should serve the main page from / and from server-base-path.

[aeschli]

Also, I'd like to learn more about that existing application that proxies requests into the code server

[jhgoebbert]

We would love to add VSCode as a webapp to our portal so that VSCode can run at a dynamically generated suburl which is different for each user session but not known before the user has logged in. So VSCode needs to be able to run behind a dynamically configurable proxy.

[dredwilliams]

@aeschli - The the application is Open OnDemand, a web platform for accessing HPC resources. It encapsulates an Apache web server and an NGINX application server to launch applications and drive a point-and-click interface for users. It can launch applications that offer an HTML interface by proxying the connections through a dynamic path custom to each user and application. That keeps all web traffic going through the same session with the user.

In this scenario, when the user wants to launch VS Code, we will build the unique path for that user's instance and provide that path via the base-path parameter. We don't care that it can't respond to the default '/' path -- in fact, that's a desired impact when multiple users may be launching their own sessions on the same system. Each user will have their own 'code serve-web' session with their unique base-path

[mering]

At the very least it should serve the main page from / and from server-base-path.

Serving from both paths sounds like a great idea to cover all use cases.
Unfortunately, it is almost impossible to create more complex patches without being able to test them (#210455 (comment)). @aeschli could you prepare a PR for serving resources from both / and base path parameter if specified?

[dredwilliams]

There is no need for the added complexity of responding to BOTH / and base-path ... if the base-path parameter is set, responding to '/' is not the desired behavior FOR THAT INSTANCE.

[darkdragon-001]

There is no need for the added complexity of responding to BOTH / and base-path ... if the base-path parameter is set, responding to '/' is not the desired behavior FOR THAT INSTANCE.

As a lot of people explained including myself, responding only to '/' is the desired behavior for most proxy use cases.

Serving on both should maintain compatibility with other use cases.

[mering]

I think I got it fixed to serve from both, root and base path.

I basically remove the base path when the server receives the request and add it for the client.

[mering]

This approach allowed me to honor X-Forwarded-Prefix header correctly. When a proxy sets this correctly, paths are served correctly even without base path being explicitly set as argument.

[mering]

In this scenario, when the user wants to launch VS Code, we will build the unique path for that user's instance and provide that path via the base-path parameter. We don't care that it can't respond to the default '/' path -- in fact, that's a desired impact when multiple users may be launching their own sessions on the same system. Each user will have their own 'code serve-web' session with their unique base-path

@dredwilliams Each code serve-web session has it's own port, so there is no need to have a different base path there. Only the proxy needs separate prefixes to route the traffic to the correct port.

[dredwilliams]

This looks great -- thanks for the effort y'all put into this!

[lost-in-dev-null]

Think this will make a lot of people happy! Thanks for the effort!

[mering]

@aeschli could you please take another look? Thanks!

[mering]

@chrmarti @aeschli friendly ping.

[mering]

@bpasero @sandy081 could anyone please take a look? Everything is tested and working, all issues have been resolved and this change is highly desired by many users.

[nathanweeks]

This capability would be useful to many---perhaps most---computing centers that use Open OnDemand to provide web access to their computing resources.

[ShabbirK]

This capability should also enable users to run VS Code on Kubeflow. It would be great to get a release with this PR merged soon.

[vivodi]

Is this still relevant?

[darkdragon-001]

Is this still relevant?

Yes, many people are eagerly waiting for this to get merged!

[jhgoebbert]

+1 from me.
I've been following this PR from the beginning and hope it gets merged sooner rather than later. I wonder what exactly is holding it back.

[aeschli]

I took this PR and added some (polishing) changes on top: See #237411

Closing this PR in favor of #237411