[Bug]: error Forbidden HttpError: Forbidden #6064
Comments
Bubbler-4
added
bug
|
same issue |
|
Do you use a reverse proxy? If so you may need to set the |
|
I'm also having this exact issue. I am using nginx as a reverse proxy and I looked into #6052, but after much debugging I can confirm that I have the Downgrading back to |
|
Do you see a "no host headers found" warning in code-server's output? If yes then the host is not making it to code-server somehow. If no then probably one of the following:
Edit: when the check fails I wonder if we should output what we got for all those headers to help debugging. |
|
My logs code-server logs are identical to the ones in the first comment's logs.
Knowing what is causing the error other than |
|
I believe the 404s are unrelated but worth looking into separately. I have seen them as well but am unaware of the cause as of yet. This particular forbidden error can only occur if this function returns false: Lines 340 to 383 in 78282a1 There very well may be a bug here but I am struggling to find what it could be. I suppose one other theory is that the headers are being sent multiple times (we only check the first one) but that seems unlikely. I will add some debug logs for the next version. |
|
I also use a nginx as reverse proxy for ssl access and have the same issue. I fixed it by adding "proxy_set_header X-Forwarded-Host $http_host;" to my nginx config. |
I also fixed it by adding this configuration. |
|
I also have this error and it was not fixed by adding the configuration that was suggested above. Rolling back to 4.10.0 fixed it though |
|
We are hosting code-server on our hpc cluster using https://github.com/OSC/ondemand and have limited control over our reverse proxy settings. Could there perhaps be an override or a variable giving the expected X-Forwarded-Host? |
|
Are you thinking of something like an `--allowed-hosts` flag to
code-server and then we check the `Origin` header against that
list instead of using the `X-Forwarded-Host` header?
It does seem odd though if your proxy is setting a host that is
not the host the browser sees.
|
|
The allowed-hosts would suffice. But concerning you point about the X-forwarded-Host header, it is correct/what the user sees in their url field. I'll check on what branch the check fails.
|
|
Interesting...definitely odd, in that case presumably the browser sets |
|
I can also confirm that the recent update in the nginx ssl proxy to add the proxy set header has not solved my problem. I am getting the exact logs the OP has. |
|
If you could, please run 4.12.0 with `--log debug`. It should
tell you why it is rejecting the requests.
|
|
Might need to use |
|
Sorry about taking so long to get back with you. This remains as-is until I try to access the GUI: The above is repeated every few seconds as long as I'm leaving the GUI page trying to load, which eventually gives me the unexpected error:
|
|
@Nuetron06 is code-server actually getting the debug level set and is this 4.12.0? You should see this preceding the forbidden line: |
|
@code-asher Yep. The DEBUG: lines weren't there before I enabled it in the "unused" options on the config page of HomeAssistant. I confirmed it even switches to TRACE when I set it, and that line does not show. I've got SCS v5.57. I do have Nginx SSL Proxy Manager set with a custom external port (843 instead of 8443), if that helps. I also have esphome installed and had to add a proxy set header line for location /ingress/api for ESPhome. I've confirmed removing this line has no effect on it. EDIT: Hold a sec, checking the HA addon that is wrapping SCS. EDIT2: from the changelog: EDIT3: |
|
I do see the Do you use |
In my setting the very same thing happens. Using the debug flag I see the following error message: So what I see is that the x-forwarded-host is actually set, and as far as I understand set correctly (host might contain comma separated list of hostnames - again as far as I understand). So it does seem a bug, might be a specific case, but the hostnames sent and hostname expected are actually the same. In this case the string equality check won't work, the hostname set might be an array of hostnames. Can you please verify? |
|
Ahh I should have noticed that when y'all first posted the headers, sorry. Yeah |
|
Er wait I was looking at the wrong documentation, I was looking at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host Edit: still not sure if it is technically valid but seems little harm in supporting it plus the header is non-standard anyway. |
|
It seems so. To be honest, I’m not sure, did not read the standard. I
assume it is possible since the header is set by a standard ingress
configuration which I cannot change (don’t have access to).
…On 2023. May 16., Tue at 20:41, Asher ***@***.***> wrote:
Er wait I was looking at the wrong documentation, I was looking at
X-Forwarded-For. Are multiple hosts valid syntax for nx-Forwarded-Host?
—
Reply to this email directly, view it on GitHub
<#6064 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AJSNKJA43G4ZPZ7R6ARYL5LXGPC4BANCNFSM6AAAAAAVXJVFFM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Added support for commas, will come out in the next version tomorrow or so. |
|
4.13.0 is out and supports X-Forwarded-Host with comma-separated hosts (it will use the first one). |
|
today i met the same problem too in version 4.14.1 the point is that i have no way to control the reverse proxy. so i just have a monkey fix in the file code-server-4.14.1-linux-amd64/out/node/http.js it is not in security but just work |
Is there an existing issue for this?
OS/Web Information
code-server --version: 4.10.1-rc1 and 4.10.1Steps to Reproduce
code-server --bind-addr 0.0.0.0:8080Expected
Remote:
Local:
Actual
Remote:
Local:
Logs
No response
Screenshot/Video
No response
Does this issue happen in VS Code or GitHub Codespaces?
Are you accessing code-server over HTTPS?
Notes
No response
The text was updated successfully, but these errors were encountered: