Code-server + haproxy websocket error 1006

I run code-server docker container on unraid. I can access its webui with local ip without any problem, including its websocket connection.
But if I use code.mydomain.com, I can’t get it to upgrade to websocket connection.

Run with local IP, websocket works!

Run with domain name, can’t upgrade to websocket

My Haproxy frontend and backend settings are simlilar to what I set for Headscale.
Backend

Frontend
image

image

If I use Nginx Proxy Manager with websocket support flip on, it just works!.

I need help what I need to set it up correctly for Haproxy. Thanks.

I’ve been meaning to get around to working on this for a little while now, but haven’t yet. The HAProxy project has some really good documentation on the subject here. You’d have to adapt it to pfSense, but it looks like you’d create a separate front end for websockets URLs.

Thanks. I’ve seen the document and have tried everything it said including specifying below in the backend, but it doesn’t work, i.e., haproxy can’t upgrade to websocket:

option http-server-close
timeout tunnel 1h

image

Sorry that’s not cutting it. I just double-checked my own code server instance and I didn’t do anything special to get it working properly.

In case it helps, I’m using the linuxserver.io openvscode-server docker image.

Thanks. I tried linuxserver.io openvscode-server docker image as you suggested. Running with local IP works properly, but using subdomain vscode.mydomain.com renders service unavailable 503, No server is available to handle this request… It is strange. I set up a vanilla frontend/backend on Haproxy. Vscode subdomain was added to cloudflare DNS as usual.
With linuxserver.io code-server docker, at least I still get the webui display, just with the websocket problem.

Could you share your HAproxy setup?

It looks like I have to withdraw my haproxy advice on this one. I just went to grab the config and couldn’t find it. It turns out when I spun up the openvscode-server, I also did an instance of nginx to serve it. Sorry for the mix up. I know I had an instance at work running through haproxy, but I decommissioned that one a long while ago. I’ll see if I can get it running again when I’m back home for the day and report back.

That’s ok. Let me know when you have a chance to look at it.
Actually, I may not need to expose code-server to internet, just a matter of technical curiosity. It should be a straight-forward setup, but somehow not. I gave it up for now.

Now I reverse proxy most of my local services with HAproxy, for both external and internal access with mydomain.com and home.mydomain.com, respectively. Only a few services are exposed to WAN. If I can’t accomplish it with Haproxy, I’ll reverse proxy it with Nginix Proxy Manager instead, with home.mydomain.com. Nginx proxy is for home.mydomain.com and I can access them anywhere through tailscale+self-hosted headscale.

OK, I just got home and added the vscode instance to my HAProxy. I’ve been messing around a little and so far I haven’t seen any errors.

I stopped using the pfSense HAProxy package a while ago, so you’ll have to do a little translating, but these are the relevant HAProxy config sections.

There’s a frontend that just redirects HTTP to HTTPS:

frontend HTTP
        bind                    10.8.9.16:80 name 10.8.9.16:80   
        mode                    http
        log                     global
        option                  httplog
        option                  http-keep-alive
        option                  forwardfor
        acl https ssl_fc
        http-request set-header         X-Forwarded-Proto http if !https
        http-request set-header         X-Forwarded-Proto https if https
        timeout client          30000
        acl                     example   var(txn.txnhost) -m reg -i  [A-Za-z0-9\.]+\.example\.com
        http-request set-var(txn.txnhost) hdr(host)
        http-request redirect code 301 location https://%[hdr(host)]%[path]  if  example

There’s a front end for HTTPS that’s shared among many subdomains:

frontend HTTPS
        bind                    10.8.9.16:443 name 10.8.9.16:443   ssl crt-list /etc/haproxy/HTTPS.crt_list  
        mode                    http
        log                     global
        option                  httplog
        option                  http-keep-alive
        option                  forwardfor
        acl https ssl_fc
        http-request set-header         X-Forwarded-Proto http if !https
        http-request set-header         X-Forwarded-Proto https if https
        timeout client          30000
        # --- LOTS OF OTHER ACLS --- #
        acl                     coder           var(txn.txnhost) -m str -i coder.example.com

        # --- LOTS OF OTHER ACLS --- #
        acl                     aclcrt_HTTPS    var(txn.txnhost) -m reg -i ^coder\.example\.com(:([0-9]){1,5})?$

        # --- LOTS OF OTHER USE_BACKEND STATEMENTS --- #
        use_backend coder_ipvANY  if  coder aclcrt_HTTPS

And there’s a backend:

backend coder_ipvANY
        mode                    http
        id                      133
        log                     global
        http-check              send meth OPTIONS
        timeout connect         30000
        timeout server          30000
        retries                 3
        load-server-state-from-file     global
        server                  coder 10.8.9.37:32768 id 134 check inter 1000  verify none

Like I said, I haven’t seen any websocket errors, but I’ll play with it a little and see if I come across anything.

1 Like

Really appreciate you sharing the config. It looks quite similar to my raw config. What Haproxy version are you using? I’m using the latest develop version.

Looks like it’s HAProxy version 2.6.12-1+deb12u1 (just the standard version from the Debian repositories)

Thanks. The stable release on pfSense package store is 2.8.3. I also tried it without success. Continuing the quest :smile: