From ff99a1d768bf42602dd19cb98447e80ecdcda15d Mon Sep 17 00:00:00 2001 From: Asher Date: Wed, 23 Oct 2019 11:49:05 -0500 Subject: [PATCH] Add security section to readme See #1062. --- .travis.yml | 2 +- README.md | 27 +++++++++++++++++++++++++++ doc/quickstart.md | 9 --------- 3 files changed, 28 insertions(+), 10 deletions(-) diff --git a/.travis.yml b/.travis.yml index ab6047f2..214d8419 100644 --- a/.travis.yml +++ b/.travis.yml @@ -61,7 +61,7 @@ deploy: - provider: script skip_cleanup: true - script: docker build -f ./scripts/ci.dockerfile --build-arg -t codercom/code-server:"$TAG" -t codercom/code-server:v2 . && docker push codercom/code-server:"$TAG" && docker push codercom/code-server:v2 + script: docker build -f ./scripts/ci.dockerfile -t codercom/code-server:"$TAG" -t codercom/code-server:v2 . && docker push codercom/code-server:"$TAG" && docker push codercom/code-server:v2 on: repo: cdr/code-server branch: master diff --git a/README.md b/README.md index ca6cdc54..182402b0 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,33 @@ arguments when launching code-server with Docker. See - For self-hosting and other information see [doc/quickstart.md](doc/quickstart.md). - For hosting on cloud platforms see [doc/deploy.md](doc/deploy.md). +## Security + +### Authentication +To enable built-in password authentication use `code-server --auth password`. By +default it will use a randomly generated password but you can set the +`$PASSWORD` environment variable to use your own. + +Do not expose `code-server` to the open internet without some form of +authentication. + +### Encrypting traffic with HTTPS +If you aren't doing SSL termination elsewhere you can directly give +`code-server` a certificate with `code-server --cert` followed by the path to +your certificate. Additionally, you can use certificate keys with `--cert-key` +followed by the path to your key. If you pass `--cert` without any path +`code-server` will generate a self-signed certificate. + +If `code-server` has been passed a certificate it will also respond to HTTPS +requests and will redirect all HTTP requests to HTTPS. Otherwise it will respond +only to HTTP requests. + +You can use [Let's Encrypt](https://letsencrypt.org/) to get an SSL certificate +for free. + +Do not expose `code-server` to the open internet without SSL, whether built-in +or through a proxy. + ### Build See diff --git a/doc/quickstart.md b/doc/quickstart.md index db76d15f..318bbeba 100644 --- a/doc/quickstart.md +++ b/doc/quickstart.md @@ -7,15 +7,6 @@ ## Usage Run `code-server --help` to view available options. -### Encrypting traffic with HTTPS -To encrypt the traffic between the browser and server use `code-server --cert` -followed by the path to your certificate. Additionally, you can use certificate -keys with `--cert-key` followed by the path to your key. If you pass `--cert` -without any path code-server will generate a self-signed certificate. - -You can use [Let's Encrypt](https://letsencrypt.org/) to get an SSL certificate -for free. - ### Nginx Reverse Proxy The trailing slashes are important.