Skip to content

Setting/passing password as cookie is not working anymore #1189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
weikai opened this issue Nov 20, 2019 · 4 comments
Closed

Setting/passing password as cookie is not working anymore #1189

weikai opened this issue Nov 20, 2019 · 4 comments
Labels
bug Something isn't working

Comments

@weikai
Copy link

weikai commented Nov 20, 2019

For security reason, I run code-server with a custom password. On the Apache server, I set the password cookie on the RequestHeader. It's working fine on the first and second official V2 releases but not anymore on the newer releases. It keeps redirecting to /login even though the password cookie is already there. Also, when it redirects, can code-server updated to redirect to ./login not /login? Proxy server might forward a directory to code-server, sending user back to /login is returning 404. Can the problems be fixed or implement basic authentication on code-server?

Set password cookie for requests

`RequestHeader set Cookie "password=password"
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443

RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /drupal/(.*) ws://ide.drupal:8080/$1 [P,L]
ProxyPass /drupal/ http://ide.drupal:8080/ nocanon
ProxyPassReverse /drupal/ http://ide.drupal:8080/`

Run code-server with custom password

PASSWORD='password' /opt/vscode/code-server --auth password --port 8080 /www

@weikai weikai added the bug Something isn't working label Nov 20, 2019
@sr229
Copy link
Contributor

sr229 commented Nov 20, 2019

Our recommended way is to pass the password as a environment variable. Based on my own testing passwords should still work as intended, but I suggest doing it as a variable instead of intercepting it from the reverse-proxy.

@code-asher
Copy link
Member

Also, when it redirects, can code-server updated to redirect to ./login not /login? Proxy server might forward a directory to code-server, sending user back to /login is returning 404.

Using --base-path should fix this. For example code-server --base-path /drupal.

On the Apache server, I set the password cookie on the RequestHeader. It's working fine on the first and second official V2 releases but not anymore on the newer releases.

The authentication cookie has changed. It's now "key" and it's a hash of the password. But like @sr229 mentioned you're safer with the environment variable since although for now the hash is static it could become dynamic in the future (by using a generated salt).

@code-asher
Copy link
Member

Actually I see you're already using the environment variable, which makes sense since otherwise you wouldn't have a custom password at all. 😛

So you could update your cookie to use "key=password hash" but is there any reason you couldn't remove that line and log in normally through the browser?

Also I'm not sure what you mean by implementing basic authentication in code-server. Isn't basic authentication something you can handle from the proxy?

@weikai
Copy link
Author

weikai commented Nov 20, 2019

Thank you all. Setting the key with password hash cookie fixed the problem. No basic authentication is need since setting key cookie is working.

I do authentication on proxy server and want to make sure no one on the LAN can access code-server without authentication. As a result, I set custom password on code-server and configured proxy server to pass the key cookie.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants