Self-Hosting Remote VSCode with Cloudflare Tunnel and Authentik SSO

Self-Hosting Remote VSCode with Cloudflare Tunnel and Authentik SSO

code-server by Coder provides a full VS Code experience in any modern browser, including iPads, via a containerized environment. By utilizing Cloudflare Tunnels and Authentik SSO, developers can eliminate the friction of per-device SSH keys while maintaining a secure, outbound-only network configuration.

Why This Matters

The technical reality of remote development often forces a trade-off between accessibility and security, typically requiring complex VPNs or risky open ports. This architecture demonstrates how to implement a zero-trust model using an Authentik forward auth chain that checks every request against an SSO outpost before it reaches the IDE. This approach ensures that even if a service is exposed via a tunnel, it remains inaccessible to unauthenticated users, effectively neutralizing common attack vectors targeting self-hosted infrastructure.

Key Insights

• Cloudflare Tunnel enables outbound-only connectivity, removing the need for open ports on the router and terminating TLS at the edge.
• Nginx Proxy Manager enforces security by using the auth_request module to check every incoming request against an Authentik outpost.
• Updating environment variables requires the ‘docker compose up -d’ command; ‘docker restart’ fails to re-read updated .env files.
• code-server utilizes the Open VSX Registry, which excludes certain Microsoft-proprietary extensions like GitHub Copilot Chat and Pylance.
• Claude Code can be authenticated in a headless container by extracting OAuth tokens (sk-ant-oat) from the local system keychain to avoid API-based billing.

Working Examples

Docker Compose configuration for deploying code-server with persistent volumes and environment variables.

services:
  code-server:
    image: lscr.io/linuxserver/code-server:latest
    container_name: code-server
    environment:
      - PUID=501
      - PGID=20
      - TZ=America/Chicago
      - PASSWORD=${CODE_SERVER_PASSWORD}
      - SUDO_PASSWORD=${CODE_SERVER_PASSWORD}
      - DEFAULT_WORKSPACE=/config/workspace
    volumes:
      - /your/config:/config
      - /your/projects:/config/workspace/Projects
    ports:
      - 8484:8443
    restart: unless-stopped

Nginx Proxy Manager configuration for implementing Authentik forward authentication.

auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;

location /outpost.goauthentik.io {
    proxy_pass http://your-server-ip:9010/outpost.goauthentik.io;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

location @goauthentik_proxy_signin {
    internal;
    return 302 /outpost.goauthentik.io/start?rd=https://$http_host$request_uri;
}

Practical Applications

• iPad Development: Use code-server to run a full Linux-based VS Code environment on mobile hardware. Pitfall: Enabling ‘Force SSL’ in Nginx Proxy Manager while behind Cloudflare creates an infinite redirect loop.
• Secure AI Orchestration: Integrate Claude Code with the Portainer API using scoped tokens for container management. Pitfall: Mounting the Docker socket directly into the container allows for potential host escape; use API-based access for better security.

References:

• https://dev.to/charlieseay/self-hosting-remote-vscode-with-cloudflare-tunnel-and-authentik-sso-54cm