Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

How do you Block Access via the IP Address? #7519

Answered by MickMorley
MickMorley asked this question in General
Discussion options

I have code-server deployed via Docker and have Authelia to authenticate users. All of this is internal to my network and not exposed to the internet. I want Authelia to only authenticate users and remove the code-server $PASSWORD.

The problem is, access is still achieved without authentication by navigating to "http://IP:8443/login".

I'd like to block access when navigating to "http://IP:8443/login" and force the use of https://code.example.com. Is there any way to do this?
You must be logged in to vote

Thank you @code-asher, I was able to figure this out.

This setup will require all requests going thru Code Server's IP to enter the password but when going thru the reverse proxy (NGINX via SWAG in my case) to be authenticated automagically using the code-server-session cookie.

I protect my reverse proxy via Authelia, so my app is still protected.

Instructions

  1. Set your HASHED_PASSWORD for Code Server

Tip: You can use Vault Warden's built in hash command and it works for code-server docker exec -it vwcontainer /vaultwarden hash

  1. Create a directive to store your hash in NGINX
geo $codehash {
 default "hashwithdollarsigns";
}

Note: NGINX does not support escaping $ so you have to u...

Replies: 1 comment 5 replies

Comment options

If you make Docker expose the port on localhost only, that should work. Something like docker run -p 127.0.0.1:8443:8443 I believe.

Alternatively, you could block 8443 at the firewall level.
You must be logged in to vote
5 replies
Comment options

Ahhh I see. Nope, nothing like that in code-server, it would need to be blocked externally.
Comment options

I found this login with args page from #1285 that may work.

My workflow/thought process:

  1. Accessing it via the IP you'd have to know the password.
  2. Accessing it via the reverse proxy, if authenticated with SSO, it'll pass the password for you.
Comment options

Oh yeah that is an interesting solution. It might be easier to set the password via a cookie. So you would set HASHED_PASSWORD to some long random string and then set the cookie in NGINX. I think something like this would work:

proxy_set_header Cookie "code-server-session=$my_long_random_string";
Comment options

Thank you @code-asher, I was able to figure this out.

This setup will require all requests going thru Code Server's IP to enter the password but when going thru the reverse proxy (NGINX via SWAG in my case) to be authenticated automagically using the code-server-session cookie.

I protect my reverse proxy via Authelia, so my app is still protected.

Instructions

  1. Set your HASHED_PASSWORD for Code Server

Tip: You can use Vault Warden's built in hash command and it works for code-server docker exec -it vwcontainer /vaultwarden hash

  1. Create a directive to store your hash in NGINX
geo $codehash {
 default "hashwithdollarsigns";
}

Note: NGINX does not support escaping $ so you have to use a geo directive outside of the server block

  1. In your location / block, set your cookie
 proxy_set_header Cookie "code-server-session=$codehash";
 proxy_pass $upstream_proto://$upstream_app:$upstream_port;
Answer selected by MickMorley
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet

AltStyle によって変換されたページ (->オリジナル) /