The Proxy is a critical component in Gitpod that serves as the main entry point for all HTTP and WebSocket traffic to the platform. It routes requests to the appropriate backend services, handles TLS termination, enforces security policies, and provides various routing and transformation capabilities for the Gitpod platform.
The primary purposes of the Proxy component are:
- Act as the main ingress point for all Gitpod traffic
- Route requests to appropriate backend services
- Terminate TLS connections
- Enforce security headers and policies
- Handle workspace-specific routing
- Provide WebSocket support
- Implement cross-origin resource sharing (CORS) policies
- Support custom domain routing
- Provide health checks and metrics endpoints
The Proxy is built on Caddy, a powerful, extensible web server with automatic HTTPS capabilities. The Gitpod proxy extends Caddy with custom plugins to handle specific Gitpod requirements:
- Core Proxy: Handles general routing and TLS termination
- Workspace Handler: Routes workspace-specific requests
- Custom Plugins: Extend Caddy with Gitpod-specific functionality
- Security Layer: Enforces security headers and policies
- Metrics Endpoint: Provides monitoring capabilities
Dockerfile: Builds the proxy container with Caddy and custom pluginsconf/Caddyfile: Main configuration file for the proxyconf/workspace-handler.full: Configuration for handling workspace requestsconf/workspace-handler.meta: Configuration for handling workspace metadataplugins/: Custom Caddy plugins for Gitpod-specific functionality
The proxy includes several custom Caddy plugins to extend its functionality:
- corsorigin: Handles Cross-Origin Resource Sharing (CORS) policies
- secwebsocketkey: Validates WebSocket connections
- workspacedownload: Manages workspace content downloads
- headlesslogdownload: Handles headless log downloads
- configcat: Integrates with ConfigCat feature flags
- analytics: Provides analytics functionality
- logif: Conditional logging
- jsonselect: JSON selection for logs
- sshtunnel: SSH tunneling support
- frontend_dev: Development mode for frontend
The proxy is configured via the Caddyfile, which includes:
- TLS settings
- Security headers
- Routing rules for the main Gitpod domain
- API endpoints
- Backend service routing
- Routing for workspace-specific domains
- Port forwarding
- WebSocket handling
- IDE-specific routing
- HTTP to HTTPS redirection
- Security headers
- CORS policies
- WebSocket validation
The proxy implements sophisticated routing logic:
- Main Domain Routing: Routes requests to the main Gitpod domain to appropriate backend services
- Workspace Routing: Routes workspace requests based on subdomain patterns
- API Routing: Routes API requests to the server component
- Public API Routing: Routes public API requests to the public-api-server
- Static Content: Routes static content requests to appropriate services
- WebSocket Routing: Handles WebSocket connections for real-time communication
Workspace routing is particularly complex, handling several patterns:
- Standard Workspace:
<workspace-id>.ws.<region>.<domain> - Port Forwarding:
<port>-<workspace-id>.ws.<region>.<domain> - Debug Workspace:
debug-<workspace-id>.ws.<region>.<domain> - Foreign Content: Special routes for VS Code webviews and webworkers
The proxy implements several security measures:
- TLS termination with secure configuration
- HTTP Strict Transport Security (HSTS)
- Content Security Policy (CSP)
- Cross-Origin Resource Sharing (CORS) policies
- XSS protection
- Referrer policy
- WebSocket validation
The Proxy is typically used to:
- Route client requests to appropriate backend services
- Provide secure access to workspaces
- Handle WebSocket connections for real-time communication
- Enforce security policies
- Provide health checks and metrics
- Server: Receives API requests routed through the proxy
- Dashboard: Serves the web UI through the proxy
- WS Proxy: Handles workspace-specific traffic
- IDE Proxy: Manages IDE-specific routing
- Public API Server: Provides public API endpoints