HTTPS leads to 502 Bad Gateway
We have the Coder Server and all the workspaces within an own Tailnet. Everything works as expected when running
code-server via http. Now, when we try to utilize tailscale cert and pass the generated cert / key to the code-server in our template, we run into a 502, when opening the code-server via the Coder Server workspace view.
I'm pretty sure that we oversee something here. This is our current configuration:
Whereas, local.fqdn contains the whole tailnet *.ts.net domain. In the workspace view, everything looks good, but when opening code-server, the 502 appears.
Any pointer into the right direction is highly appreciated 🙂7 Replies
Hey - I think you are running into two separate issues:
1.
coder_app does not support the https internal server schema yet. In v1, we used to reverse proxy under Coder's own certificate, regardless of what was present within the workspaces: https://github.com/coder/coder/issues/5891
2. coder_app does not proxy non-localhost addresses: https://github.com/coder/coder/issues/4287
We plan to fix these, but haven't gotten around to it yet. I'm not sure I fully understand your use case with Tailscale though, code-server is still running on the same workspace, but you want traffic to go through the tailnet host?Hi @bpmct, gotcha, thanks a lot for the clarification. Regarding Tailscale, we're running a corporate Tailnet (where also other services are deployed). Now, we also deployed the Coder Server and the respective workspaces within our Tailnet. That said, each workspace joins our own Tailnet during provisioning.
I see, but code-server is still running within the workspace itself right? Or is it on some other machine on the tailnet?
I'm wondering why you need the URL to be the tailnet domain instead of localhost in
coder_app
Ah, because of the TLS certificates?Yes,
code-server is running within the workspace itself. I wanted to use tailscale cert and let the Coder Server proxy the traffic to the code-server by using https.
So the provisioning looks like:
1. Join out Tailnet
2. tailscale cert
3. Pass the cert & key to code-server
(But when I read the docs correctly, the traffic between the Coder Server and the actual workspace when using coder-server is still encrypted, right? Always a little careful when I see http:// in the config 😄 )Yeah. All traffic from is encrypted over a HTTPS tunnel and users connect to the app through a reverse proxy.
We still plan on supporting internal HTTPS apps via
coder_app, but it would work for self-signed certs too. For the browser, the cert is secure since it uses the certificate from the Coder server and not the app.
For now, if you were to disable certs on code-server, do any of your use cases break?
It's not technically less secure because traffic still goes through TLS back to Coder and for the user.For now, if you were to disable certs on code-server, do any of your use cases break?Good to hear that you plan to support internal HTTPS apps via
coder_app. No, that is fine 🙂 The only important aspect was that the connection between Coder Server <> code-server in the workspace is encrypted. Just curious, the proxied traffic between the Coder Server and the workspace (when using code-server), is this also tunnelled via your Tailscale integration? Just trying to wrap my head around why the coder_app expects a http://localhost URL? 🙂Yep, it's tunneled through a Tailscale network over HTTPS (through Coder's access URL)