Gitpod behind a reverse proxy

Has anyone been successful at running Gitpod behind a reverse proxy? After hammering away I was able to get the Docker version of Gitpod to run without http as I use Traefik in front of all my services. However I run into Mixed Content issues with Chrome and Edge. I’ve tried adding more headers but it seems that Gitpod itself is doing redirects in http form whereas the content is served as https thanks to Traefik. Any insight or help here would be awesome.

My docker-compose.yml file looks like:

version: '3'
services:
  gitpod:
    image: eu.gcr.io/gitpod-core-dev/build/gitpod-k3s:0.7.0
    privileged: true 
    environment:
      - DOMAIN=gitpod.caballero.dev
    expose:
      - 80 
    volumes:
      - "$PWD/values:/values"
      - "$PWD/docker:/var/gitpod/docker"
      - "$PWD/minio:/var/gitpod/minio"
      - "$PWD/mysql:/var/gitpod/mysql"
      - "$PWD/workspaces:/var/gitpod/workspaces"
    networks:
      - frontend
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.gitpod.rule=HostRegexp(`gitpod.caballero.dev`, `{subhost:[a-zA-Z0-9-]+}.gitpod.caballero.dev`, `{subhost:[a-zA-Z0-9-]+}.ws.gitpod.caballero.dev`)"
      - "traefik.http.services.gitpod.loadbalancer.server.port=80"

networks:
  frontend:
    external: true

My values.yaml:

hostname: gitpod.caballero.dev

authProviders:
  - description: ''
    host: gitlab.caballero.dev
    icon: ''
    id: Internal-GitLab
    oauth:
      callBackUrl: 'https://gitpod.caballero.dev/auth/gitlab.caballero.dev/callback'
      clientId: XXXXXX
      clientSecret: XXXXXX
      settingsUrl: 'https://gitlab.caballero.dev/profile/applications'
    type: GitLab

certificatesSecret:
  secretName: null 

components:
  imageBuilder:
    registryCerts: []
    registry:
      name: r.caballero.cloud
      path: '' 
      secretName: image-builder-registry-secret
  workspace:
    pullSecret:
      secretName: image-builder-registry-secret
  
docker-registry:
  enabled: false

minio:
  accessKey: 'XXXXXX'
  secretKey: 'XXXXXX'

Hi @enriquecaballero and welcome to the Gitpod community!

Today, I found some time to have a deeper look at your request. Sorry that it took so long.

Having Gitpod behind a reverse proxy isn’t pretty well supported (as far as I know). However, I’ve tried the following at it worked pretty well:

I deployed Gitpod with an HTTPS cert. You can use a Let’s encrypt cert (I used humenius/traefik-certs-dumper to export the certs from traefik) or you generate self-signed certificates. Since it’s behind the traefik proxy it doesn’t matter.

For Gitpod, I used these labels:

- traefik.http.routers.gitpod.rule=HostRegexp(`gitpod.example.com`, `{subdomain:.+}.gitpod.example.com`)
- traefik.http.routers.gitpod.tls=true
- traefik.http.routers.gitpod.tls.certresolver=yourcertresolver
- traefik.http.routers.gitpod.tls.domains[0].sans=gitpod.example.com
- traefik.http.routers.gitpod.tls.domains[1].sans=*.gitpod.example.com
- traefik.http.routers.gitpod.tls.domains[2].sans=*.ws.gitpod.example.com
- traefik.http.services.gitpod.loadbalancer.server.port=443
- traefik.http.services.gitpod.loadbalancer.server.scheme=https

With this, Gitpod is accessed via HTTPS, not HTTP. However, you need traefik to allow insecure HTTPS certs for the backend because the Gitpod cert is not issued for the IP (if you use self-signed certs you can add your root ca instead). I added this to my traefik.yaml file:

serversTransport:
  insecureSkipVerify: true

Please let me know if this works for you as well and feel free to ping me if you have any questions or when something is unclear.

Cornelius

Hi @corneliusludmann! Thank you for taking a look. The only issue I’m running into with the certs dumper is that it only dumps out a .crt and .key. It looks like Gitpod wants chain.pem, fullchain.pem, and privkey.pem. Did you feed Gitpod the .crt and .key files? Or did you do anything extra on the output files? I guess it’s my limited knowledge of ssl certs in general that’s hurting me here.

I was able to get it running with certs dumped from Traefik, however I had to split the files up to match what Gitpod expects (as per https://github.com/gitpod-io/gitpod/blob/9ae4251f6069437346591d2aa635d36069056654/install/docker/gitpod-image/entrypoint.sh#L81). I do plan on setting up self-signed certs that practically never expire so it just works with the proxy. Again, @corneliusludmann, thank you for taking a look.

1 Like