-
Notifications
You must be signed in to change notification settings - Fork 6.3k
v4.10.1 #6052
-
Code v1.75.1
Security
Added an origin check to web sockets to prevent cross-site hijacking attacks on
users using older or niche browser that do not support SameSite cookies and
attacks across sub-domains that share the same root domain.
The check requires the host header to be set so if you use a reverse proxy
ensure it forwards that information otherwise web sockets will be blocked.
This discussion was created from the release v4.10.1.
Beta Was this translation helpful? Give feedback.
All reactions
-
😄 1
Replies: 5 comments 6 replies
-
For anyone using nginx as a reverse proxy, here is the exact line you need to add to your config.
Assumptions:
code-serveris running on port11111- Reverse proxy is on port
22222 - Reverse proxy is on the domain
your-domain.example.com
# /etc/nginx/conf.d/code-server.conf, or wherever you have the reverse proxy config server { listen 22222 ssl; ssl_certificate /etc/ssl/certs/YOUR_CERT_HERE.crt; ssl_certificate_key /etc/ssl/private/YOUR_KEY_HERE.key; location / { proxy_pass http://127.0.0.1:11111; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection upgrade; + proxy_set_header Host "your-domain.example.com:22222"; } }
Then reload the config: nginx -s reload and it should work again.
Beta Was this translation helpful? Give feedback.
All reactions
-
❤️ 2
-
I think you can also use proxy_set_header Host $host; to avoid hard-coding the host.
Beta Was this translation helpful? Give feedback.
All reactions
-
👍 2
-
Yes, good point - you should try proxy_set_header Host $host; first.
For my config, I actually had additional server configs interfering so $host didn't work for me and I had to hardcode the value. But in general $host should be tried first.
Beta Was this translation helpful? Give feedback.
All reactions
-
👍 1
-
I got some problem in reverse proxy, I hope this function can close by args
Beta Was this translation helpful? Give feedback.
All reactions
-
@neophack Could you elaborate? Are you having trouble setting the host header in your proxy?
Beta Was this translation helpful? Give feedback.
All reactions
-
I got exactly the same error. The configuration of my reverse proxy (nginx/swag) hasn't changed. Host is/was already set.
I'm using the linuxserver.io images.
The regression happened from
lscr.io/linuxserver/code-server:amd64-4.10.0 (working)
to
lscr.io/linuxserver/code-server:amd64-4.10.1 (error as described above)
Beta Was this translation helpful? Give feedback.
All reactions
-
add the header Origin works for me
proxy_set_header Origin https://$host;
I read the code, it compare the host:port in header Host and Origin, so I think both Host and Origin should be set.
but Terminal do not work and I don't know why for now :-(
Beta Was this translation helpful? Give feedback.
All reactions
-
The browser is supposed to set Origin, if you set it in the proxy just keep in mind that it bypasses the security of that check.
Beta Was this translation helpful? Give feedback.
All reactions
-
Anyone has settings for apache?
Beta Was this translation helpful? Give feedback.
All reactions
-
same here 4.10.0 works and 4.10.1 does not. pinning to 4.10.0 until this is sorted.
Beta Was this translation helpful? Give feedback.
All reactions
-
Might need to use $http_host instead: #6166
Beta Was this translation helpful? Give feedback.