Skip to content

POC: Host Web IDE on separate domain from the GitLab application

Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/464082+

What does this MR do and why?

NOTICE This MR is a proof of concept, and it shouldn't be merged.

It implements a minimal number of changes required to explore the idea of serving the Web IDE from a separate domain name instead of the GitLab instance domain name. Read the investigation issue's description to understand the reasons that motivate this change. This Merge Request comprises the following changes:

  1. It implements a middleware in Workhorse with authorization rules to access Web IDE's VSCode assets. The rules can be summarized:
    1. If the Web IDE doesn't have a dedicated domain name, deny access to vulnerable static assets that were exploited in the vulnerability #463408 (closed).
    2. If the Web IDE has a dedicated domain name:
      1. Allow access to VSCode assets when the HTTP Request's Host header contains the Web IDE domain name.
      2. Deny access to all the other resources served by Workhorse when the HTTP Request's Host header contains the Web IDE domain name.
      3. Conversely, deny access to VSCode assets when the HTTP Request's Host header contains the GitLab instance domain name.
      4. Allow access to all the other resources when the HTTP Request's Host header contains the GitLab instance domain name
  2. It removes the patch file that removes the vulnerable assets mentioned in the previous point from the @gitlab/web-ide. We shouldn't remove them because we'll protect them with Workhorse's authorization rules.
  3. It changes the webpack's configuration to output VSCode files in gitlab-vscode/stable/[vscode-version] instead of gitlab-vscode/[@gitlab/web-ide package version]. This satisfies some VSCode's URL expectations.
  4. It adds a web_ide_domain_name application configuration field to the GitLab rails application. It uses this field to set up CORS rules in the Web IDE, CSP directives, and configure the @gitlab/web-ide package.

This Merge Request depends on the Web IDE package generated in the following gitlab-org/gitlab-web-ide Merge Request gitlab-web-ide!372+.

How to set up and validate locally

  1. Create a loopback interface to IP 172.16.123.1

  2. Follow the instructions to enable nginx and https in your GDK.

  3. Create a TLS certificate using the mkcert tool for the wildcard domain: *.172.16.123.1.nip.io . This is the domain that we'll use to host the Web IDE.

    cd <gdk-dir> && mkcert *.172.16.123.1.nip.io.

  4. Replace the default NGINX config that exists in <gdk-dir>/nginx/conf/nginx.conf with the following configuration that creates a virtual host that serves HTTP traffic for the wildcard domain *.172.16.123.1.nip.io .

     server {
         listen gdk.test:8080 ssl;
         server_name *.172.16.123.1.nip.io;
    
         ssl_certificate /Users/enriquealcantara/gitlab/gitlab-development-kit/_wildcard.172.16.123.1.nip.io.pem;
         ssl_certificate_key /Users/enriquealcantara/gitlab/gitlab-development-kit/_wildcard.172.16.123.1.nip.io-key.pem;
    
         proxy_set_header    Host                $http_host;
         proxy_set_header    X-Real-IP           $remote_addr;
         proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
         proxy_set_header    X-Forwarded-Proto   $scheme;
         proxy_set_header    Upgrade             $http_upgrade;
         proxy_set_header    Connection          $connection_upgrade;
    
         proxy_http_version 1.1;
         proxy_read_timeout 300;
    
         location / {
             proxy_pass https://gitlab-workhorse;
         }
     }
  5. Add the property .172.16.123.1.nip.io:8080 to the gitlab/config/gitlab.yml file, for example:

    production: &base
      #
      # 1. GitLab app settings
      # ==========================
    
      ## GitLab settings
      gitlab:
        ## Web server settings (note: host is the FQDN, do not include http://)
        host: gdk.test
        port: 3443
        https: true
    
        web_ide_domain_name: ".172.16.123.1.nip.io:8080"
  6. Run the following command cd workhorse && make.

  7. Restart the gdk: gdk restart .

  8. Open the Web IDE in the GDK as usual. The Web IDE static assets will be served from the domain *.172.16.123.1.nip.io;

Edited by Enrique Alcántara

Merge request reports

Loading