Introduction
Code-server is an open-source server application that serves Visual Studio Code on a remote server, accessible through a browser. Code-server allows developers to access their development environment from anywhere, as well as to have a consistent development environment across different devices. It allows leveraging powerful cloud servers to speed-up compilations and tests, and to save battery when on the go.
This tutorial will guide you through the process of installing code-server on an Ubuntu 18.04 LTS VPS, and securing the installation with SSL and fail2ban.
Prerequisites
The following are required to successfully follow along the tutorial:
- A Rcs Cloud Compute instance (Min. Recommended: 4 GB RAM, 2 CPUs)
- A valid domain name pointing to the instance (Required for setting up SSL)
- SSH access to the instance as root
Install Code-Server
Download the latest release of code-server from the official repository.
cd /home
wget https://github.com/cdr/code-server/releases/download/2.1688-vsc1.39.2/code-server2.1688-vsc1.39.2-linux-x86_64.tar.gz
Untar the downloaded archive and rename the extracted folder.
tar -xvzf code-server2.1688-vsc1.39.2-linux-x86_64.tar.gz && rm code-server2.1688-vsc1.39.2-linux-x86_64.tar.gz
mv code-server2.1688-vsc1.39.2-linux-x86_64 code-server
Make the code-server binary executable.
cd code-server
chmod +x code-server
Run code-server.
./code-server --port 8000
Navigate to http://<YOUR-SERVER-IP>:8000
in a browser window. You will be prompted for a password. Use the password displayed in the SSH terminal. The Visual Studio Code interface will open up. To stop the server, press Ctrl + C in the SSH terminal.
Run Code-Server on Startup
To run code-server on system startup, you can install it as a service. We will be using Linux's systemd
service manager to create a service for code-server.
Create a new unit file for the code-server service.
nano /lib/systemd/system/code-server.service
Paste the following snippet into the file, replacing <password>
with a strong password of your choice. This will be the password you will use to login to code-server.
[Unit]
Description=Code Server Service
After=network.target
[Service]
Type=simple
Restart=on-failure
RestartSec=10
WorkingDirectory=/home/code-server
Environment="PASSWORD=<password>"
ExecStart=/home/code-server/code-server --port 8000
StandardOutput=file:/var/log/code-server-output.log
StandardError=file:/var/log/code-server-error.log
[Install]
WantedBy=multi-user.target
Enable and start the newly created service.
systemctl enable code-server
systemctl start code-server
Navigate to http://<YOUR-SERVER-IP>:8000
in a browser window. Use the password you chose earlier to login to code-server. The Visual Studio Code interface will open up upon successful authentication
Setup an Nginx Reverse Proxy
To access your installation over a domain name and to add an SSL certificate for security, it is recommended to setup a reverse proxy. We will be using the Nginx web server as a reverse proxy to access the code-server installation.
Download and install Nginx.
apt-get update
apt-get install nginx
Disable the default Nginx site configuration file.
rm /etc/nginx/sites-enabled/default
Create a new Nginx site configuration file for code-server.
nano /etc/nginx/sites-available/code-server
Paste the following snippet into the file, replacing example.com
with your own domain name.
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
location / {
proxy_pass http://localhost:8000/;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Enable the configuration and restart the Nginx web server.
ln -s /etc/nginx/sites-available/code-server /etc/nginx/sites-enabled/
systemctl restart nginx
Allow SSH and Nginx connections through the firewall, and enable the firewall. This will ensure that the code-server installation is only accessible through the Nginx reverse proxy.
ufw allow ssh
ufw allow 'Nginx Full'
ufw enable
Navigate to your domain name to test the installation.
Install an SSL Certificate
For enhanced security when using the code-server installation over the internet, the developers of code-server recommended installing an SSL certificate. The Certbot application automates the process of obtaining and installing a free Let's Encrypt SSL certificate.
Download and install Certbot.
apt-get install python-certbot-nginx
Execute the following command to launch Certbot's command-line installer, replacing example.com
with your own domain name.
certbot --nginx -d example.com -d www.example.com
Proceed through the interactive installer. When asked whether or not to redirect HTTP traffic to HTTPS, choose to redirect.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/code-server
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/code-server
Install fail2ban
The developers of code-server suggest setting up fail2ban to monitor code-server's log for protection against brute-force attacks. Fail2ban is an application that parses logs to detect and mitigate automated attacks on a server. When a predefined number of unsuccessful login attempts are detected, fail2ban will alter the server's iptables to block the attacker for a predefined amount of time.
Install setuptools. This is required to install fail2ban.
apt-get install python3-setuptools -y
Download and install fail2ban.
git clone https://github.com/fail2ban/fail2ban.git
cd fail2ban
sudo python3 setup.py install
cp build/fail2ban.service /lib/systemd/system/fail2ban.service
cd .. && rm -rf fail2ban
Copy the default configuration file jails.conf
to jails.local
and open the copied file in a text editor.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
Paste the following snippet at the bottom of the file. You can change the maxretry
, findtime
, and bantime
parameters.
[code-server]
enabled = true
logpath = /var/log/code-server-output.log
# maxretry: The amount of unsuccessful login attempts after which a ban is issued.
maxretry = 5
# findtime: The amount of time within which the login attempts must occur.
findtime = 10m
# bantime: The amount of time for which an IP is banned from accessing the server.
bantime = 10m
Create a new filter configuration file to define the filter pattern to find unsuccessful login attempts in the code-server log.
nano /etc/fail2ban/filter.d/code-server.conf
Paste the following snippet into the file.
[Definition]
failregex = Failed login attempt {\"xForwardedFor\":\"<HOST>\".*
ignoreregex =
datepattern = "timestamp":{EPOCH}}$
Restart the rsyslog service and enable and start the fail2ban service.
systemctl restart rsyslog.service
systemctl enable fail2ban.service
systemctl start fail2ban.service
Conclusion
At this point we have successfully setup a code-server installation serving Visual Studio Code on a Rcs Cloud Compute instance, secured with SSL and fail2ban. Navigate to https://example.com
in a browser window to begin setting up your development environment.