Theia cannot reach the API server with both TLS and proxy enabled
See original GitHub issueDescribe the bug
When both TLS and http proxy are enabled, it seems that Theia cannot reach the Che server API endpoint by its external URL.
This becomes critical now that TLS is enabled by default to have webviews working.
This might be related to this Axios bug: https://github.com/axios/axios/issues/925#issuecomment-574617787
Che version
- latest
- nightly
- other: please specify
Steps to reproduce
- Configure a Che server installation with a proxy and without TLS: Che-theia workspace should be able to start correctly (with webview problems though)
- Configure a Che server installation with a proxy and with TLS: You should see some errors in the Che-theia logs and Che-theia would be able to fetch the workspace definition from the Che API server
Expected behavior
http proxy configuration should work even when TLS is enabled (which is the default case now)
Runtime
- kubernetes (include output of
kubectl version
) - Openshift (include output of
oc version
) - minikube (include output of
minikube version
andkubectl version
) - minishift (include output of
minishift version
andoc version
) - docker-desktop + K8S (include output of
docker version
andkubectl version
) - other: (please specify)
Installation method
- chectl
- che-operator
- minishift-addon
- I don’t know
Environment
- my computer
- Windows
- Linux
- macOS
- Cloud
- Amazon
- Azure
- GCE
- other (please specify)
- other: please specify
Eclipse Che Logs
Additional context
This might be critical for CRW 2.1 and possibly to include into the 7.9.2 release
Issue Analytics
- State:
- Created 4 years ago
- Comments:10 (9 by maintainers)
Top Results From Across the Web
Chapter 4. Known issues Red Hat OpenShift Dev Spaces 3.0
On IBM Z and IBM Power, the debugging features cannot be activated in the Go workspace in OpenShift Dev Spaces 3.0. Delve, the...
Read more >How To Set Up the Eclipse Theia Cloud IDE Platform on ...
Step 1 — Deploying nginx-proxy with Let's Encrypt. In this section, you'll deploy nginx-proxy and its Let's Encrypt add-on using Docker Compose ...
Read more >Build HTTPS API Proxies | MuleSoft Documentation
API Manager 2.x enables you to use the secrets stored in your secret group to build an HTTPS-based API for your CloudHub or...
Read more >Gitpod Changelog - Latest releases and product updates
For example, you will be able to get more powerful workspaces to run larger Java projects and IntelliJ. So since we needed somewhere...
Read more >Network Flow Visibility in Antrea
To enable the Flow Exporter feature at the Antrea Agent, the following ... podLabels: false # apiServer contains APIServer related configuration options.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
After a bunch of tests done with the
axios
library inside theche-theia
container of aChe
workspace running in a disconnected environment behind a proxy*, here is the current analysis of the problem: The error was coming from the fact thataxios
implementation ofhttps
requests through ahttp
proxy is limited. In particular, it seems it doesn’t correctly use the CONNECT method that allows tunneling ahttps
request inside ahttp
proxy. A consequence of this is that the underlying socket connection opened to finally reach the target endpoint is not a ssl socket. This finally results in an error from the Proxy, especially with self-signed certificates.The good news of this is that Axios is configurable / customizable enough, so that, when a https request needs a http proxy, we should be able to override the request config to change the
httpsAgent
and use one created by thetunnel
module.I already tested the
tunnel
module solution and was able to reach the Che API server through the proxy even with TLS and self-signed certificates.I’ll further propose a PR to include this into the existing
che-workspae-client
package.Hi, I have started che 7.17.0 and I have the same matter when deploy it with tls and use enterprise proxy. All start right on kubernetes, and my browser access to teiga, but all is blank and nothing work.
How I can mitigate this ?
Best Regards