Missing Base-Path Support

[craftxbox]

Hi, I noticed that base-path was removed from the project years ago, this caused some issues in a deployment I did today.
Because of some restrictions, I had to use a reverse proxy chain like this:
WAN -> Nginx -> oauth2-proxy -> code-server
resulting in 404 errors as the root of code-server wasn't accessible due to the base path in place at the Nginx layer, and oauth2-proxy doesn't support rewrites at its layer to remove the base path before forwarding it onto code-server.
Because of the oauth2-proxy layer, I was unable to use rewrites in nginx to fix the request URI for code-server, as then oauth2-proxy would redirect to the wrong pages.
In the end I fixed with the following topology:
WAN -> Nginx -> oauth2-proxy -> Nginx -> code-server

The extra proxy step with Nginx is the only thing I found that could fix this, but it's undesirable because it adds extra complexity and an extra point of failure from a security point of view.
I have secured this second step by denying any non-localhost connections to the second Nginx step, hopefully preventing people from bypassing the oauth2-proxy layer by changing the Host header manually,
But this whole issue could be avoided if there was just an option to change the base route for code-server.

I exhausted every other configuration option and command line argument in nginx, oauth2-proxy, and code-server before writing this. Is this a feasible addition or am I just missing some better way to do this?

[jsjoeio]

Is there a very simple reproduction for this issue? Ideally only using code-server.

[craftxbox]

No, This is likely very specific to needing the two proxy layers, but here's the simplest setup I can think of:

Nginx:

server {
    listen 80;
    location /code-server {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
    }
}

.htpasswd to bypass needing oauth2 credentials from a provider, password here is test
test:$2y$05$seFgHe7g0O1V0CvSWqmSGuntpJhJnKQEshkfS7J2RtHhxsQASiS9O

oauth2-proxy --upstream http://127.0.0.1:8080 --cookie-secret xxxxxxxxxxxxxxxx --client-id x --client-secret x --email-domain * --htpasswd-file .htpasswd --proxy-prefix "/code-server/oauth2"

And code-server running as default. Then you should be able to browse to http://127.0.0.1/code-server and login to oauth2-proxy with the username & password test. At this point, code-server will either give you a 401 Unauthorized, or a "Not found" page, depending likely on if password auth is enabled or not.

An extra rule to strip the path in the Nginx config will fix the issue with code-server, but cause them with the auth-proxy if you haven't yet authenticated with it.
rewrite ^/code-server(.*) /$1 break;

While I can't confirm, this likely is problematic for most setups with an auth proxy in the middle of the stack, not just limited to oauth2-proxy (it's just what I'm using)