[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [che-dev] How invisible to make the single host gateway?
|
On 22/06/2020 21:53, Lukas Krejci wrote:
<snip>
Both of the above problem have a semi-standard solution - the gateways are
able to submit the X-Forwarded-For header which can be taken into the account
by the backend applications when composing the cookie and location paths.
This, on the other hand, is yet another rather heavy requirement on the
applications running inside workspaces.
How are these issues handle when you're running behind a regular reverse
proxy? Are they handled by the proxy or do apps have to handle it?
Now to the bullet point 3) - can this all be solved by just running the user
applications on separate subdomains even in single-host mode?
IMHO, the answer is no because of the usability concerns. If the whole point
of single-host mode is to reduce the number of routes and, more importantly,
not require wildcard certificate for Che, we should not come up with a
solution that still requires a potentially unbound number of both. We could
try to for example expand on the already existing limit of the concurrently
running workspaces and also introduce limits for the max number of routes per
user (with the admin somehow supplying che with a set of certificates to be
used with each such route), but IMHO that is a bit cumbersome solution.
Would a policy of having a route per namespace (and therefore user) help
with this? We would have to generate a certificate when provisioning the
namespace, but after that the self-signed certs would be limited: one
per user and one for Che server.
But it all depends on what kind of restrictions are we willing to impose on
the users running the single-host mode.
Thanks,
Lukas
_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/che-dev
