v4.10.1

[code-asher]

Code v1.75.1

Security

Added an origin check to web sockets to prevent cross-site hijacking attacks on
users using older or niche browser that do not support SameSite cookies and
attacks across sub-domains that share the same root domain.

The check requires the host header to be set so if you use a reverse proxy
ensure it forwards that information otherwise web sockets will be blocked.

---

This discussion was created from the release v4.10.1.

[ardislu]

For anyone using nginx as a reverse proxy, here is the exact line you need to add to your config.

Assumptions:

• code-server is running on port 11111
• Reverse proxy is on port 22222
• Reverse proxy is on the domain your-domain.example.com

# /etc/nginx/conf.d/code-server.conf, or wherever you have the reverse proxy config

server {
        listen 22222 ssl;
        ssl_certificate /etc/ssl/certs/YOUR_CERT_HERE.crt;
        ssl_certificate_key /etc/ssl/private/YOUR_KEY_HERE.key;
        location / {
                proxy_pass http://127.0.0.1:11111;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection upgrade;
+               proxy_set_header Host "your-domain.example.com:22222";
        }
}

Then reload the config: nginx -s reload and it should work again.

[code-asher]

I think you can also use proxy_set_header Host $host; to avoid hard-coding the host.

[ardislu]

Yes, good point - you should try proxy_set_header Host $host; first.

For my config, I actually had additional server configs interfering so $host didn't work for me and I had to hardcode the value. But in general $host should be tried first.

[neophack]

I got some problem in reverse proxy, I hope this function can close by args

[code-asher]

@neophack Could you elaborate? Are you having trouble setting the host header in your proxy?

[FlorianEndel]

I got exactly the same error. The configuration of my reverse proxy (nginx/swag) hasn't changed. Host is/was already set.

I'm using the linuxserver.io images.

The regression happened from
lscr.io/linuxserver/code-server:amd64-4.10.0 (working)
to
lscr.io/linuxserver/code-server:amd64-4.10.1 (error as described above)

[dobzhao]

add the header Origin works for me

proxy_set_header        Origin https://$host;

I read the code, it compare the host:port in header Host and Origin, so I think both Host and Origin should be set.

but Terminal do not work and I don't know why for now :-(

[code-asher]

The browser is supposed to set Origin, if you set it in the proxy just keep in mind that it bypasses the security of that check.

[bilogic]

Anyone has settings for apache?

[danktankk]

same here 4.10.0 works and 4.10.1 does not. pinning to 4.10.0 until this is sorted.

[code-asher]

Might need to use $http_host instead: #6166