GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → sar → vs-code-container-with-ssl

sar / vs-code-container-with-ssl

Licence: MIT license
Launch your own Code Server container with preloaded SDKs for React, Python, C#, Cloud CLIs, secured by SSL Reverse Proxy.

Programming Languages

Dockerfile
14818 projects
shell
77523 projects

Labels

linuxdockernginxsslawsdebiandocker-composereactjsazuredotnet-corevs-codehomelabpodmancode-servercodespaces

Projects that are alternatives of or similar to vs-code-container-with-ssl

DSAC
DockSTARTer App Config helps you configure some of your Docker apps!
Stars: ✭ 20 (-62.96%)
Mutual labels:  debian, homelab
awesome-sysadmin-tools
Collection of links and resources for sysadmins and Drupal lovers
Stars: ✭ 17 (-68.52%)
Mutual labels:  ssl, debian
Debian Server
Complete Debian/Ubuntu Web Application Server Installation
Stars: ✭ 22 (-59.26%)
Mutual labels:  ssl, debian
Cwac Netsecurity
CWAC-NetSecurity: Simplifying Secure Internet Access
Stars: ✭ 239 (+342.59%)
Mutual labels:  ssl
Connector
Коннектор: удобный HTTP-клиент для 1С:Предприятие 8
Stars: ✭ 240 (+344.44%)
Mutual labels:  ssl
docker-ssl-reverse-proxy
Easy-to-use auto-SSL reverse proxy as a Docker container based on Caddy and Let’s Encrypt
Stars: ✭ 22 (-59.26%)
Mutual labels:  ssl
kafka role
Ansible role to install Apache Kafka
Stars: ✭ 18 (-66.67%)
Mutual labels:  debian
Snuffy
Snuffy is a simple command line tool to inspect SSL/TLS data.
Stars: ✭ 236 (+337.04%)
Mutual labels:  ssl
steady-tun
Secure TLS tunnel with pool of prepared upstream connections
Stars: ✭ 37 (-31.48%)
Mutual labels:  ssl
Blynk WM
Blynk and WiFiManager Library for configuring/auto(re)connecting ESP8266/ESP32 modules to the best or available MultiWiFi APs and MultiBlynk servers at runtime, with or without SSL. Configuration data saved in either SPIFFS or EEPROM.
Stars: ✭ 46 (-14.81%)
Mutual labels:  ssl
docker-electrumx
Run an Electrum server with one command
Stars: ✭ 87 (+61.11%)
Mutual labels:  ssl
Acme Nginx
python acme client for nginx
Stars: ✭ 248 (+359.26%)
Mutual labels:  ssl
distrobox
Use any linux distribution inside your terminal. Enable both backward and forward compatibility with software and freedom to use whatever distribution you’re more comfortable with. Mirror available at: https://gitlab.com/89luca89/distrobox
Stars: ✭ 4,371 (+7994.44%)
Mutual labels:  podman
Tricks Of Semi Superviseddeepleanring Pytorch
PseudoLabel 2013, VAT, PI model, Tempens, MeanTeacher, ICT, MixMatch, FixMatch
Stars: ✭ 240 (+344.44%)
Mutual labels:  ssl
fosdem20
Demo material used for the Podman talk at FOSDEM 2020
Stars: ✭ 22 (-59.26%)
Mutual labels:  podman
Mqttclient
A high-performance, high-stability, cross-platform MQTT client, developed based on the socket API, can be used on embedded devices (FreeRTOS / LiteOS / RT-Thread / TencentOS tiny), Linux, Windows, Mac, with a very concise The API interface realizes the quality of service of QOS2 with very few resources, and seamlessly connects the mbedtls encryption library.
Stars: ✭ 234 (+333.33%)
Mutual labels:  ssl
dheater
D(HE)ater is a proof of concept implementation of the D(HE)at attack (CVE-2002-20001) through which denial-of-service can be performed by enforcing the Diffie-Hellman key exchange.
Stars: ✭ 142 (+162.96%)
Mutual labels:  ssl
Openssl
TLS/SSL and crypto library
Stars: ✭ 17,157 (+31672.22%)
Mutual labels:  ssl
Websockify
Websockify is a WebSocket to TCP proxy/bridge. This allows a browser to connect to any application/server/service.
Stars: ✭ 2,942 (+5348.15%)
Mutual labels:  ssl
hudsucker
Intercepting HTTP/S proxy
Stars: ✭ 114 (+111.11%)
Mutual labels:  ssl
View All Similar Projects ➔

Containerized Code Server with SSL & Dev Tooling

Launch your own Code Server container with preloaded dev tools (sdks, npm packages, CLIs etc) for an efficient and securely accessible Web IDE in your homelab!

code-server

Getting Started

Clone this repo on the server with docker or podman configured. It's recommended to attach mount points for storing your codebase isolated from the container runtime for redundancy and failover management.

Next, set the required environment variables and data paths using the provided .env.template replicated to .env (note: default exclude declared in .gitignore).

Persistent storage for extensions and vscode settings can also be enabled by mapping HOST_* variables for convenience against container restarts.

Here's an example of what you'll need to define in .env:

VIRTUAL_HOST=10.0.0.1
VIRTUAL_PORT=8555

HOST_CONFIG_PATH=./config
HOST_LOG_PATH=./logs

HOST_CODE_PATH=/mnt/codebase
CODE_PATH=/code

TZ=America/New_York
SUDO_PASSWORD=<SUDO_PASSWORD>

An additional config.yaml is required for code-server mapped using path:ro volume. The container will auto-generate a file if none is provided.

bind-addr: 0.0.0.0:8080
auth: password
password: <<PASSWORD>>
cert: false

Nginx is used to reroute traffic from [::]:80 to upstream HTTPS port [::]:8443 with self-signed SSL certificates. Checkout and run the generate_certs.sh script to emit the required certificates with signing key using openssl.

Place both the nginx.conf and certs under the paths defined in code-server.yaml.

listen [::]:443 ssl default_server;
        ssl_certificate /etc/nginx/certs/ssl.crt;
        ssl_certificate_key /etc/nginx/certs/ssl.key;
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;

Finally, deploy the container stack on the docker host using the command docker-compose -f code-server.yaml up. It may take 15-20 minutes depending on your hardware and network bandwidth for the initial build. The dockerfile pre-configures a number of devtools and updates the base image packages.

To comply with Docker CIS, resource limits are defined on each of the containers but can be customized to your hardware in the compose code-server.yaml file.

An alternative compose file code-server.https.yaml is provided with automatic configuration of NGINX proxy using steveltn/https-portal.

Pre-Installed Dev Tools

Here's a quick overview of what the dockerfile does to extend debian:buster base image. This allows containers to be rapidly deployed and scaled up for usage on dev teams with tooling ready to go.

The output image includes SDKs for cloud native app development workloads such as React, Node, C#, AWS and Azure Cloud CLIs.

* Cloud CLIs
    * AWS CLI Tools
        * aws-shell
        * amplify cli
    * Azure CLI
* NPM packages
    * yarn (upstream)
    * gatsby-cli
    * gulp
    * create-react-app
    * @storybook/cli
* .NET Core SDK and Runtime
    * 5.0.0
    * 3.1.0
    * 2.1.0
* Python global env
    * python3 python3-pip python3-dev
* Ubuntu apt packages
    * Networking
        * wget
        * apt-transport-https
        * libssl-dev libffi-dev
    * Tools
        * ranger
        * tree
        * unzip
        * ansible
        * vim
        * htop
        * iputils-ping
    * OS/Misc
        * systemd
        * build-essential
        * ffmpeg
        * youtube-dl
        * chromium-browser
    * Default shell --> zsh/oh-my-zsh
        * zsh-syntax-highlighting
        * zsh-autosuggestions
        * zsh-completions
        * history-search-multi-word

Refer to the Dockerfile for image layers.

Remote Debugging

By default the dockerfile and code-server.yaml are set to expose port ranges 5000-5010 and 8000-8010 commonly used for web app development. Customize this for your workload such as React, Gatsby, Angular, Django, etc. to allow for remote debugging HTTP instances that are running inside the container.

To allow external access on node frameworks that depend http-server (instantiated with npm or yarn) you may need to also update your package.json and bind the runtime to the host ip instead of localhost.

Here are a few common examples:

{
    "scripts": {
        "ng:start": "ng serve --host 0.0.0.0",
        "npm:start": "http-server --host 0.0.0.0",
        "gatsby:start": "gatsby develop --host 0.0.0.0"
    }
}

Alternatively, if you'd prefer not to expose ports, check out the vscode-browser-preview extension which enables chromium based inspection and debugging within the container itself.

Security Considerations

As the base image extends debian:buster, additional steps have been taken to add security measures with hosts file, fail2ban and clamav packages preloaded. These are precautionary against attacks but insufficient against (un)known breaches.

APT over HTTP(s)

MITM attacks while unlikely by default due to PGP signature verification of repos, can be further averted with apt-transport-https package. Vulnerable networks can still reveal user transmit/receive of debian updates, to further anonymize traffic install the package apt-transport-tor and use for tor:// prefix on repos for apt over tor.service socks proxy.

Log Analytics

It's strongly recommended to configure a remote syslog daemon for log analytics with auditd enabled, here's our guide on using solutions such as Graylog2.

Ports

There's a wide range of tcp ports exposed and mapped directly to the host for remote debugging apps running inside the container. By default, only the code-server is allocated on ports 8443 and localhost:8080.

$ netstat -tnlp

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      299/node            
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -

For dev workloads outside of a homelab or private cloud behind firewalls, using an nginx reverse proxy with HTTPS and auth redirects is vital to preventing sensitive code exposure.

Workarounds

File Watcher Limit

Containers inherit the default file watcher limit from the docker host. To set an increased value persistently, run the following command on the server and reboot.

$ echo "fs.inotify.max_user_watches = 524288" >> /etc/sysctl.conf
$ sudo sysctl -p

Docker in Docker

To run containers using rootless mode inside the code-server container itself, set gid as an environment variable (in .env) matching the docker host before building the image. This will add the default $USER to the docker group with the correct permissions to the docker.sock.

DOCKER_HOST_GID=999
$ ls -l /var/run/docker.sock
srw-rw----. 1 root docker 0 Dec 22 17:52 /var/run/docker.sock

$ id $USER
...999(docker)

# Manually rebuild
$ docker build --build-arg DOCKER_HOST_GID=999 --build-arg DEFAULT_USER=abc -t <image_tag> .

# Use docker-compose to build and deploy automatically
$ docker-compose -f code-server.yaml up

Inside the container, you should no longer receive permission errors upon calling docker comands without sudo.

$ docker run hello-world
docker: Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/create: dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.

# Built with GID=<docker_host_gid>
$ docker run hello-world

Contributing

Contributions including forks and reporting issues are welcome. Be sure to include the output of $ uname -a of your container host or docker-compose configuration and a detailed description to allow for replication.

License

This project is made available under the MIT License. For more information, refer to license.md.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].