POC: Host Web IDE on separate domain from the GitLab application
Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/464082+
What does this MR do and why?
NOTICE This MR is a proof of concept, and it shouldn't be merged.
It implements a minimal number of changes required to explore the idea of serving the Web IDE from a separate domain name instead of the GitLab instance domain name. Read the investigation issue's description to understand the reasons that motivate this change. This Merge Request comprises the following changes:
- It implements a middleware in Workhorse with authorization rules to access Web IDE's VSCode assets. The rules can be summarized:
- If the Web IDE doesn't have a dedicated domain name, deny access to vulnerable static assets that were exploited in the vulnerability #463408 (closed).
- If the Web IDE has a dedicated domain name:
- Allow access to VSCode assets when the HTTP Request's
Host
header contains the Web IDE domain name. - Deny access to all the other resources served by Workhorse when the HTTP Request's Host header contains the Web IDE domain name.
- Conversely, deny access to VSCode assets when the HTTP Request's Host header contains the GitLab instance domain name.
- Allow access to all the other resources when the HTTP Request's Host header contains the GitLab instance domain name
- Allow access to VSCode assets when the HTTP Request's
- It removes the patch file that removes the vulnerable assets mentioned in the previous point from the
@gitlab/web-ide
. We shouldn't remove them because we'll protect them with Workhorse's authorization rules. - It changes the webpack's configuration to output VSCode files in
gitlab-vscode/stable/[vscode-version]
instead ofgitlab-vscode/[@gitlab/web-ide package version]
. This satisfies some VSCode's URL expectations. - It adds a
web_ide_domain_name
application configuration field to the GitLab rails application. It uses this field to set up CORS rules in the Web IDE, CSP directives, and configure the@gitlab/web-ide
package.
This Merge Request depends on the Web IDE package generated in the following gitlab-org/gitlab-web-ide
Merge Request gitlab-web-ide!372+.
How to set up and validate locally
-
Create a loopback interface to IP
172.16.123.1
-
Follow the instructions to enable nginx and https in your GDK.
-
Create a TLS certificate using the
mkcert
tool for the wildcard domain:*.172.16.123.1.nip.io
. This is the domain that we'll use to host the Web IDE.cd <gdk-dir> && mkcert *.172.16.123.1.nip.io
. -
Replace the default NGINX config that exists in
<gdk-dir>/nginx/conf/nginx.conf
with the following configuration that creates a virtual host that serves HTTP traffic for the wildcard domain*.172.16.123.1.nip.io
.server { listen gdk.test:8080 ssl; server_name *.172.16.123.1.nip.io; ssl_certificate /Users/enriquealcantara/gitlab/gitlab-development-kit/_wildcard.172.16.123.1.nip.io.pem; ssl_certificate_key /Users/enriquealcantara/gitlab/gitlab-development-kit/_wildcard.172.16.123.1.nip.io-key.pem; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_http_version 1.1; proxy_read_timeout 300; location / { proxy_pass https://gitlab-workhorse; } }
-
Add the property
.172.16.123.1.nip.io:8080
to thegitlab/config/gitlab.yml
file, for example:production: &base # # 1. GitLab app settings # ========================== ## GitLab settings gitlab: ## Web server settings (note: host is the FQDN, do not include http://) host: gdk.test port: 3443 https: true web_ide_domain_name: ".172.16.123.1.nip.io:8080"
-
Run the following command
cd workhorse && make
. -
Restart the gdk:
gdk restart
. -
Open the Web IDE in the GDK as usual. The Web IDE static assets will be served from the domain
*.172.16.123.1.nip.io;