mirror of https://git.tuxpa.in/a/code-server.git
43 lines
1.3 KiB
Markdown
43 lines
1.3 KiB
Markdown
# Protecting code-server from bruteforce attempts
|
|
|
|
code-server outputs all failed login attempts, along with the IP address,
|
|
provided password, user agent and timestamp by default. When using a reverse
|
|
proxy such as Nginx or Apache, the remote address may appear to be `127.0.0.1`
|
|
or a similar address unless the `--trust-proxy` argument is provided to
|
|
code-server.
|
|
|
|
When used with the `--trust-proxy` argument, code-server will use the last IP in
|
|
`X-Forwarded-For` (if provided) instead of the remote socket address. Ensure
|
|
that you are setting this value in your reverse proxy:
|
|
|
|
Nginx:
|
|
```
|
|
location / {
|
|
...
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
...
|
|
}
|
|
```
|
|
|
|
Apache:
|
|
```
|
|
<VirtualEnv>
|
|
...
|
|
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
|
|
...
|
|
</VirtualEnv>
|
|
```
|
|
|
|
It is extremely important that if you enable `--trust-proxy` you ensure your
|
|
code-server instance is not accessible from the internet (block it in your
|
|
firewall).
|
|
|
|
## Fail2Ban
|
|
|
|
Fail2Ban allows for automatically banning and logging repeated failed
|
|
authentication attempts for many applications through regex filters. A working
|
|
filter for code-server can be found in `./code-server.fail2ban.conf`. Once this
|
|
is installed and configured correctly, repeated failed login attempts should
|
|
automatically be banned from connecting to your server.
|
|
|