Code-Server

Posted on October 2, 2012

Tags: hacksoft

#use to see programs associated with listening ports and address
sudo netstat -tuplen
#alternative command below
sudo ss -tuplen

1 Running Offical vs-code server

microsoft offical vs code server

wget -O- https://aka.ms/install-vscode-server/setup.sh | sh

If you run into -bash: /usr/bin/code-server: No such file or directory,
then go to code-server binary with which code-server, then sudo chmod 777 code-server

code-server serve-local --disable-telemetry --telemetry-level off  --without-connection-token --host 127.0.0.1 --port 8443

You can make a file that runs the server like below

apt install -y gnome-keyring

#!/bin/bash
nohup dbus-run-session -- sh -c "(echo 'root' | gnome-keyring-daemon --unlock) && code-server serve-local --disable-telemetry --telemetry-level off --without-connection-token --host 127.0.0.1 --port 8443" &

#!/bin/bash
nohup code-server serve-local --disable-telemetry --telemetry-level off  --without-connection-token --host 127.0.0.1 --port 8443 &

1.1 Custom systemd service for CodeServer

NOTE: this is ONLY for VSCode’s official code-server, the unofficial codeserver by cdr has a default service called code-server@debian DO NOT MISTAKE THE TWO.

[Unit]
Description=code-server
After=network.target

[Service]
Type=exec
Environment=PASSWORD=root
ExecStart=code-server serve-local --disable-telemetry --without-connection-token --host 127.0.0.1 --port 8443
Restart=always
User=debian

[Install]
WantedBy=default.target

1.2 Certificates

Summary:

/usr/local/share/ca-certificates/VsCodeOpenBSERVER.crt ==generates==> /etc/ssl/certs/VsCodeOpenBSERVER.pem
- However if /usr/local/share/ca-certificates DOES NOT EXIST, we can just throw VsCodeOpenBSERVER.crt into /etc/ssl/certs/VsCodeOpenBSERVER.crt
/etc/ssl/private/VsCodeOpenBSERVER.key

Instruction for Debian:

Download *.crt and *.key
sudo update-ca-certificates --fresh to sync/clean /usr/local/share/ca-certificates with /etc/ssl/certs
COPY *.crt into /usr/local/share/ca-certificates
COPY *.key into /etc/ssl/private
sudo update-ca-certificates will create a *.pem file in /etc/ssl/certs that points to our *.crt

Instruction for RHEL:

instead of /usr/local/share/ca-certificates/VsCodeOpn.crt go to /etc/pki/tls/certs/VsCodeOpn.crt
instead of /etc/ssl/private/VsCodeOpn.key go to /etc/pki/tls/private/VsCodeOpn.key

2 nginx

2.1 OPTION 1: EZ

just overwrite your /etc/nginx/nginx.conf file with below:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;


        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        map $http_upgrade $connection_upgrade { 
            default upgrade;
            ''      close;
        } 
        server {
            listen 0.0.0.0:8444 ssl;
            ssl_certificate /etc/ssl/certs/VsCodeOpenBSERVER.pem;
            ssl_certificate_key /etc/ssl/private/VsCodeOpenBSERVER.key;
            location / {
                add_header Access-Control-Allow-Origin *;
                add_header Access-Control-Allow-Methods *;
                add_header Access-Control-Allow-Headers *;
                
                proxy_pass http://localhost:8443/;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $host:$server_port;
                proxy_set_header Origin https://$host;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection upgrade;
                proxy_set_header Accept-Encoding gzip;
            }
          }
}

2.2 OPTION 2: HARD WAY BUT modular

Call the below command once you download nginx.

sudo unlink /etc/nginx/sites-enabled/default

2.2.1 /etc/nginx/nginx.conf

you may not have folders /etc/nginx/sites-available/ nor /etc/nginx/sites-enabled/ so you will have to mkdir to make them.
You will also have to add this line include /etc/nginx/sites-enabled/*; to /etc/nginx/nginx.conf inside the http{...} block.

check to make sure your /etc/nginx/nginx.conf looks like below

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

2.2.2 http

cd /etc/nginx/sites-available/
sudo nano code-server.conf

server {
    listen 0.0.0.0:80;

location / {
      proxy_pass http://localhost:8443/;
      proxy_http_version 1.1;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Host $host:$server_port;
      proxy_set_header Origin https://$host;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection upgrade;
      proxy_set_header Accept-Encoding gzip;
    }
}

#call if you have a previous enabled conf #sudo rm /etc/nginx/sites-enabled/code-server.conf
sudo ln -s /etc/nginx/sites-available/code-server.conf /etc/nginx/sites-enabled/code-server.conf
sudo systemctl restart nginx

Note: for rhel if you choose to open port to traffic like 0.0.0.0:7777 you need to call sudo semanage port -a -t http_port_t -p tcp 7777

on rhel you need to call setsebool -P httpd_can_network_connect 1

2.2.3 https

cd /etc/nginx/sites-available/
sudo nano code-server.conf


server {
    listen 0.0.0.0:443 ssl;
ssl_certificate /etc/ssl/certs/VsCodeOpenBSERVER.pem;
ssl_certificate_key /etc/ssl/private/VsCodeOpenBSERVER.key;
       
location / {
      
      proxy_pass http://localhost:8443/;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $host;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection upgrade;
      proxy_set_header Accept-Encoding gzip;
    }
}

#call if you have a previous enabled conf #sudo rm /etc/nginx/sites-enabled/code-server.conf
sudo ln -s /etc/nginx/sites-available/code-server.conf /etc/nginx/sites-enabled/code-server.conf
sudo systemctl restart nginx

on rhel you need to call setsebool -P httpd_can_network_connect 1

Note: HTTPS/SSL only works on port 443. You have to do some additional config if you want to open to public with a different port.

go to cd /var/log/nginx/ to see log files if something doesnt work

3 Running UnOffical

Without HTTPS, SSL Cert, things like Coq, Lean, wont work. Extensions wont show details, etc. Codeserver 3.8.0 is the last version that works without SSL.

Config location: ~/.config/code-server/config.yaml

4 HTTPS setup on Opnsense or Pfsense

In the cert and cert-key fields, remember to use ABSOLUTE PATHS or systemctl wont work.

# non-root node server cant bind to ports lower than 1024
# Allows code-server to listen on ports lower than 1024, including 443.
sudo setcap cap_net_bind_service=+ep `readlink -f \`which node\`` 
sudo setcap cap_net_bind_service=+ep /usr/lib/code-server/lib/node

bind-addr: 0.0.0.0:443
auth: password
password: root
cert: /etc/ssl/certs/VsCodeOpenBSERVER.pem
cert-key: /etc/ssl/private/VsCodeOpenBSERVER.key

Next you have to generate your Certificate Root Authority.
(This is what your browser downloads)

Trust >> Authorities >> Add

Name: Web SSL Cert
Method: Create an internal Certificate Authority
Leave the Cipher and Hash default or else it wont work if key is too weak.
Use valid city and state data

Next you have to generate your Server Certificate.
(This will generate a VsCodeOpenBSERVER.key and VsCodeOpenBSERVER.crt that you put in your /usr/local/share/ca-certificates and /etc/ssl/private)

Trust >> Certificates >> Add

Name: VsCodeOpenBSERVER
Method: Create an internal Certificate
Certificate Authority: Web SSL Cert
Type: Server Certificate
Alternative Names:
- DNS: server.opnroot.com
- IP: 192.168.1.245

NOTE: Every new PC or computer you use as a server requires you to remake a new certificate

Download the VsCodeOpenBSERVER.crt and VsCodeOpenBSERVER.key drag them int your code-server browser or download via SSH.

4.1 Certificates

Conceptually: VsCodeOpenBSERVER.crt to generate VsCodeOpenBSERVER.pem to be used BUT technically you can just use VsCodeOpenBSERVER.crt directly.
We use VsCodeOpenBSERVER.key directly

The locations below are generally where we put our SSL certificate and private key.

/usr/local/share/ca-certificates hold *.crt
- /etc/ssl/certs holds *.pem that is symlinked from *.crt above via sudo update-ca-certificates
/etc/ssl/private holds *.key which is the private key

Instruction:

Download *.crt and *.key
sudo update-ca-certificates --fresh to sync/clean /usr/local/share/ca-certificates with /etc/ssl/certs
COPY *.crt into /usr/local/share/ca-certificates
COPY *.key into /etc/ssl/private
sudo update-ca-certificates will create a *.pem file in /etc/ssl/certs that points to our *.crt
Go to Browser

Trust >> Authorities

Download the Web-SSL-Cert.crt, which is the Root Cert Authority. Go to Chrome settings , Manage Certificates >> Trusted Root Certificate Authorities tab >> Import .. , and install the *.crt.
Note we DO NOT need to install VsCodeOpn.crt on our browser.

5 Updating Unofficial Code-server

5.1 RHEL

Unlike in the offical documents, sudo rpm -i code-server... will error on preinstalled code-server so you need to add a -U flag to it.

curl -fOL https://github.com/coder/code-server/releases/download/v$VERSION/code-server-$VERSION-amd64.rpm
sudo rpm -U -i code-server-$VERSION-amd64.rpm #ADD THE '-U' flag here
sudo systemctl enable --now code-server@$USER

Next your code-server should fail to start if running on port 80 or 443 or anything lower than 1024.

12:15 PM [2022-10-02T16:15:06.060Z] error parent:17517 Error: EACCES: permission denied, mkdir '20221002-1215-01-'code-server
12:15 PM [2022-10-02T16:15:06.060Z] error parent:17517 Uncaught exception: EACCES: permission denied, mkdir '20221002-1215-01-'code-server
12:15 PM [2022-10-02T16:15:06.058Z] error listen EACCES: permission denied 0.0.0.0:443 code-server

The solution is below:

# non-root node server cant bind to ports lower than 1024
# Allows code-server to listen on ports lower than 1024, including 443.
sudo setcap cap_net_bind_service=+ep /usr/lib/code-server/lib/node

6 Extensions

go to open-vsx.org

wget https://open-vsx.org/api/something/vscode-bleh/1.2.0/file/something.vscode-bleh-1.2.0.vsix
code-server --install-extension something.vscode-bleh-1.2.0.vsix

6.1 Extensions list

AWS Toolkit
Git Graph
HashiCorp Terraform
Haskell
Haskell Syntax Highlighting
lean4
lean
TLA+
Live Server
Javascript and TypeScript Nightly
Rust
VSCoq

7 Lean and Multi-root workspaces

To use multi-root vscode workspaces with lean, the *.workplace file must be placed inside a lean project folder.

8 Jupyter

env GO111MODULE=on go install github.com/gopherdata/gophernotes@latest
cd "$(go env GOPATH)"/src/github.com/gopherdata/gophernotes
env GO111MODULE=on go install
mkdir -p ~/.local/share/jupyter/kernels/gophernotes
cp kernel/* ~/.local/share/jupyter/kernels/gophernotes
cd ~/.local/share/jupyter/kernels/gophernotes
chmod +w ./kernel.json
sed "s|gophernotes|$(go env GOPATH)/bin/gophernotes|" < kernel.json.in > kernel.json

9 Fixing auto-complete bug

Problem: VSCode command palette may cache old and non-existent paths. (Opening a folder or Workspace will autofill an old non-existant path)

Solution: Ctrl+Shift+P > File: Clear Recently Opened

10 Cern ROOT C++ interpreter

conda config --env --add channels conda-forge
conda install root

11 Spring boot

Java Extension Pack - microsoft vscjava
Spring boot Extension Pack