coder
diff --git a/‎Makefile
Lines changed: 2 additions & 1 deletion b/‎Makefile
Lines changed: 2 additions & 1 deletion
diff --git a/‎agent/agent.go
Lines changed: 12 additions & 12 deletions b/‎agent/agent.go
Lines changed: 12 additions & 12 deletions
diff --git a/‎cli/exp_scaletest.go
Lines changed: 2 additions & 9 deletions b/‎cli/exp_scaletest.go
Lines changed: 2 additions & 9 deletions
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 4 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 4 additions & 0 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 4 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/tailnet.go
Lines changed: 44 additions & 7 deletions b/‎coderd/tailnet.go
Lines changed: 44 additions & 7 deletions
diff --git a/‎coderd/tailnet_test.go
Lines changed: 9 additions & 8 deletions b/‎coderd/tailnet_test.go
Lines changed: 9 additions & 8 deletions
diff --git a/‎coderd/userauth.go
Lines changed: 1 addition & 0 deletions b/‎coderd/userauth.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/workspaceapps/appurl/appurl.go
Lines changed: 50 additions & 0 deletions b/‎coderd/workspaceapps/appurl/appurl.go
Lines changed: 50 additions & 0 deletions
@@ -200,7 +200,8 @@ endef
 # calling this manually.
 $(CODER_ALL_BINARIES): go.mod go.sum \
 	$(GO_SRC_FILES) \
-	$(shell find ./examples/templates)
+	$(shell find ./examples/templates) \
+	site/static/error.html
 
 	$(get-mode-os-arch-ext)
 	if [[ "$$os" != "windows" ]] && [[ "$$ext" != "" ]]; then
 
@@ -240,10 +240,11 @@ type agent struct {
 	sshServer                    *agentssh.Server
 	sshMaxTimeout                time.Duration
 
-	lifecycleUpdate   chan struct{}
-	lifecycleReported chan codersdk.WorkspaceAgentLifecycle
-	lifecycleMu       sync.RWMutex // Protects following.
-	lifecycleStates   []agentsdk.PostLifecycleRequest
+	lifecycleUpdate            chan struct{}
+	lifecycleReported          chan codersdk.WorkspaceAgentLifecycle
+	lifecycleMu                sync.RWMutex // Protects following.
+	lifecycleStates            []agentsdk.PostLifecycleRequest
+	lifecycleLastReportedIndex int // Keeps track of the last lifecycle state we successfully reported.
 
 	network       *tailnet.Conn
 	addresses     []netip.Prefix
@@ -625,7 +626,6 @@ func (a *agent) reportMetadata(ctx context.Context, conn drpc.Conn) error {
 // changes are reported in order.
 func (a *agent) reportLifecycle(ctx context.Context, conn drpc.Conn) error {
 	aAPI := proto.NewDRPCAgentClient(conn)
-	lastReportedIndex := 0 // Start off with the created state without reporting it.
 	for {
 		select {
 		case <-a.lifecycleUpdate:
@@ -636,20 +636,20 @@ func (a *agent) reportLifecycle(ctx context.Context, conn drpc.Conn) error {
 		for {
 			a.lifecycleMu.RLock()
 			lastIndex := len(a.lifecycleStates) - 1
-			report := a.lifecycleStates[lastReportedIndex]
-			if len(a.lifecycleStates) > lastReportedIndex+1 {
-				report = a.lifecycleStates[lastReportedIndex+1]
+			report := a.lifecycleStates[a.lifecycleLastReportedIndex]
+			if len(a.lifecycleStates) > a.lifecycleLastReportedIndex+1 {
+				report = a.lifecycleStates[a.lifecycleLastReportedIndex+1]
 			}
 			a.lifecycleMu.RUnlock()
 
-			if lastIndex == lastReportedIndex {
+			if lastIndex == a.lifecycleLastReportedIndex {
 				break
 			}
 			l, err := agentsdk.ProtoFromLifecycle(report)
 			if err != nil {
 				a.logger.Critical(ctx, "failed to convert lifecycle state", slog.F("report", report))
 				// Skip this report; there is no point retrying.  Maybe we can successfully convert the next one?
-				lastReportedIndex++
+				a.lifecycleLastReportedIndex++
 				continue
 			}
 			payload := &proto.UpdateLifecycleRequest{Lifecycle: l}
@@ -662,13 +662,13 @@ func (a *agent) reportLifecycle(ctx context.Context, conn drpc.Conn) error {
 			}
 
 			logger.Debug(ctx, "successfully reported lifecycle state")
-			lastReportedIndex++
+			a.lifecycleLastReportedIndex++
 			select {
 			case a.lifecycleReported <- report.State:
 			case <-a.lifecycleReported:
 				a.lifecycleReported <- report.State
 			}
-			if lastReportedIndex < lastIndex {
+			if a.lifecycleLastReportedIndex < lastIndex {
 				// Keep reporting until we've sent all messages, we can't
 				// rely on the channel triggering us before the backlog is
 				// consumed.
 
@@ -14,7 +14,6 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"
 	"time"
 
 	"github.com/google/uuid"
@@ -245,14 +244,8 @@ func (o *scaleTestOutput) write(res harness.Results, stdout io.Writer) error {
 
 	// Sync the file to disk if it's a file.
 	if s, ok := w.(interface{ Sync() error }); ok {
-		err := s.Sync()
-		// On Linux, EINVAL is returned when calling fsync on /dev/stdout. We
-		// can safely ignore this error.
-		// On macOS, ENOTTY is returned when calling sync on /dev/stdout. We
-		// can safely ignore this error.
-		if err != nil && !xerrors.Is(err, syscall.EINVAL) && !xerrors.Is(err, syscall.ENOTTY) {
-			return xerrors.Errorf("flush output file: %w", err)
-		}
+		// Best effort. If we get an error from syncing, just ignore it.
+		_ = s.Sync()
 	}
 
 	if c != nil {
 
@@ -60,6 +60,10 @@ OPTIONS:
       --support-links struct[[]codersdk.LinkConfig], $CODER_SUPPORT_LINKS
           Support links to display in the top right drop down menu.
 
+      --terms-of-service-url string, $CODER_TERMS_OF_SERVICE_URL
+          A URL to an external Terms of Service that must be accepted by users
+          when logging in.
+
       --update-check bool, $CODER_UPDATE_CHECK (default: false)
           Periodically check for new releases of Coder and inform the owner. The
           check is performed once per day.
 
@@ -414,6 +414,10 @@ inMemoryDatabase: false
 # Type of auth to use when connecting to postgres.
 # (default: password, type: enum[password\|awsiamrds])
 pgAuth: password
+# A URL to an external Terms of Service that must be accepted by users when
+# logging in.
+# (default: <unset>, type: string)
+termsOfServiceURL: ""
 # The algorithm to use for generating ssh keys. Accepted values are "ed25519",
 # "ecdsa", or "rsa4096".
 # (default: ed25519, type: string)
 
@@ -4,11 +4,14 @@ import (
 	"bufio"
 	"context"
 	"crypto/tls"
+	"errors"
+	"fmt"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/netip"
 	"net/url"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -23,6 +26,7 @@ import (
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/coderd/tracing"
 	"github.com/coder/coder/v2/coderd/workspaceapps"
+	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
 	"github.com/coder/coder/v2/codersdk/workspacesdk"
 	"github.com/coder/coder/v2/site"
 	"github.com/coder/coder/v2/tailnet"
@@ -341,7 +345,7 @@ type ServerTailnet struct {
 	totalConns    *prometheus.CounterVec
 }
 
-func (s *ServerTailnet) ReverseProxy(targetURL, dashboardURL *url.URL, agentID uuid.UUID) *httputil.ReverseProxy {
+func (s *ServerTailnet) ReverseProxy(targetURL, dashboardURL *url.URL, agentID uuid.UUID, app appurl.ApplicationURL, wildcardHostname string) *httputil.ReverseProxy {
 	// Rewrite the targetURL's Host to point to the agent's IP. This is
 	// necessary because due to TCP connection caching, each agent needs to be
 	// addressed invidivually. Otherwise, all connections get dialed as
@@ -351,13 +355,46 @@ func (s *ServerTailnet) ReverseProxy(targetURL, dashboardURL *url.URL, agentID u
 	tgt.Host = net.JoinHostPort(tailnet.IPFromUUID(agentID).String(), port)
 
 	proxy := httputil.NewSingleHostReverseProxy(&tgt)
-	proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
+	proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, theErr error) {
+		var (
+			desc                 = "Failed to proxy request to application: " + theErr.Error()
+			additionalInfo       = ""
+			additionalButtonLink = ""
+			additionalButtonText = ""
+		)
+
+		var tlsError tls.RecordHeaderError
+		if (errors.As(theErr, &tlsError) && tlsError.Msg == "first record does not look like a TLS handshake") ||
+			errors.Is(theErr, http.ErrSchemeMismatch) {
+			// If the error is due to an HTTP/HTTPS mismatch, we can provide a
+			// more helpful error message with redirect buttons.
+			switchURL := url.URL{
+				Scheme: dashboardURL.Scheme,
+			}
+			_, protocol, isPort := app.PortInfo()
+			if isPort {
+				targetProtocol := "https"
+				if protocol == "https" {
+					targetProtocol = "http"
+				}
+				app = app.ChangePortProtocol(targetProtocol)
+
+				switchURL.Host = fmt.Sprintf("%s%s", app.String(), strings.TrimPrefix(wildcardHostname, "*"))
+				additionalButtonLink = switchURL.String()
+				additionalButtonText = fmt.Sprintf("Switch to %s", strings.ToUpper(targetProtocol))
+				additionalInfo += fmt.Sprintf("This error seems to be due to an app protocol mismatch, try switching to %s.", strings.ToUpper(targetProtocol))
+			}
+		}
+
 		site.RenderStaticErrorPage(w, r, site.ErrorPageData{
-			Status:       http.StatusBadGateway,
-			Title:        "Bad Gateway",
-			Description:  "Failed to proxy request to application: " + err.Error(),
-			RetryEnabled: true,
-			DashboardURL: dashboardURL.String(),
+			Status:               http.StatusBadGateway,
+			Title:                "Bad Gateway",
+			Description:          desc,
+			RetryEnabled:         true,
+			DashboardURL:         dashboardURL.String(),
+			AdditionalInfo:       additionalInfo,
+			AdditionalButtonLink: additionalButtonLink,
+			AdditionalButtonText: additionalButtonText,
 		})
 	}
 	proxy.Director = s.director(agentID, proxy.Director)
 
@@ -26,6 +26,7 @@ import (
 	"github.com/coder/coder/v2/agent/agenttest"
 	"github.com/coder/coder/v2/agent/proto"
 	"github.com/coder/coder/v2/coderd"
+	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
 	"github.com/coder/coder/v2/codersdk/workspacesdk"
 	"github.com/coder/coder/v2/tailnet"
@@ -81,7 +82,7 @@ func TestServerTailnet_ReverseProxy_ProxyEnv(t *testing.T) {
 	u, err := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", workspacesdk.AgentHTTPAPIServerPort))
 	require.NoError(t, err)
 
-	rp := serverTailnet.ReverseProxy(u, u, a.id)
+	rp := serverTailnet.ReverseProxy(u, u, a.id, appurl.ApplicationURL{}, "")
 
 	rw := httptest.NewRecorder()
 	req := httptest.NewRequest(
@@ -112,7 +113,7 @@ func TestServerTailnet_ReverseProxy(t *testing.T) {
 		u, err := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", workspacesdk.AgentHTTPAPIServerPort))
 		require.NoError(t, err)
 
-		rp := serverTailnet.ReverseProxy(u, u, a.id)
+		rp := serverTailnet.ReverseProxy(u, u, a.id, appurl.ApplicationURL{}, "")
 
 		rw := httptest.NewRecorder()
 		req := httptest.NewRequest(
@@ -143,7 +144,7 @@ func TestServerTailnet_ReverseProxy(t *testing.T) {
 		u, err := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", workspacesdk.AgentHTTPAPIServerPort))
 		require.NoError(t, err)
 
-		rp := serverTailnet.ReverseProxy(u, u, a.id)
+		rp := serverTailnet.ReverseProxy(u, u, a.id, appurl.ApplicationURL{}, "")
 
 		rw := httptest.NewRecorder()
 		req := httptest.NewRequest(
@@ -177,7 +178,7 @@ func TestServerTailnet_ReverseProxy(t *testing.T) {
 		u, err := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", workspacesdk.AgentHTTPAPIServerPort))
 		require.NoError(t, err)
 
-		rp := serverTailnet.ReverseProxy(u, u, a.id)
+		rp := serverTailnet.ReverseProxy(u, u, a.id, appurl.ApplicationURL{}, "")
 
 		req, err := http.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)
 		require.NoError(t, err)
@@ -222,7 +223,7 @@ func TestServerTailnet_ReverseProxy(t *testing.T) {
 		u, err := url.Parse("http://127.0.0.1" + port)
 		require.NoError(t, err)
 
-		rp := serverTailnet.ReverseProxy(u, u, a.id)
+		rp := serverTailnet.ReverseProxy(u, u, a.id, appurl.ApplicationURL{}, "")
 
 		for i := 0; i < 5; i++ {
 			rw := httptest.NewRecorder()
@@ -279,7 +280,7 @@ func TestServerTailnet_ReverseProxy(t *testing.T) {
 		require.NoError(t, err)
 
 		for i, ag := range agents {
-			rp := serverTailnet.ReverseProxy(u, u, ag.id)
+			rp := serverTailnet.ReverseProxy(u, u, ag.id, appurl.ApplicationURL{}, "")
 
 			rw := httptest.NewRecorder()
 			req := httptest.NewRequest(
@@ -317,7 +318,7 @@ func TestServerTailnet_ReverseProxy(t *testing.T) {
 		uri, err := url.Parse(s.URL)
 		require.NoError(t, err)
 
-		rp := serverTailnet.ReverseProxy(uri, uri, a.id)
+		rp := serverTailnet.ReverseProxy(uri, uri, a.id, appurl.ApplicationURL{}, "")
 
 		rw := httptest.NewRecorder()
 		req := httptest.NewRequest(
@@ -347,7 +348,7 @@ func TestServerTailnet_ReverseProxy(t *testing.T) {
 		u, err := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", workspacesdk.AgentHTTPAPIServerPort))
 		require.NoError(t, err)
 
-		rp := serverTailnet.ReverseProxy(u, u, a.id)
+		rp := serverTailnet.ReverseProxy(u, u, a.id, appurl.ApplicationURL{}, "")
 
 		rw := httptest.NewRecorder()
 		req := httptest.NewRequest(
 
@@ -472,6 +472,7 @@ func (api *API) userAuthMethods(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.AuthMethods{
+		TermsOfServiceURL: api.DeploymentValues.TermsOfServiceURL.Value(),
 		Password: codersdk.AuthMethod{
 			Enabled: !api.DeploymentValues.DisablePasswordAuth.Value(),
 		},
 
@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/url"
 	"regexp"
+	"strconv"
 	"strings"
 
 	"golang.org/x/xerrors"
@@ -83,6 +84,55 @@ func (a ApplicationURL) Path() string {
 	return fmt.Sprintf("/@%s/%s.%s/apps/%s", a.Username, a.WorkspaceName, a.AgentName, a.AppSlugOrPort)
 }
 
+// PortInfo returns the port, protocol, and whether the AppSlugOrPort is a port or not.
+func (a ApplicationURL) PortInfo() (uint, string, bool) {
+	var (
+		port     uint64
+		protocol string
+		isPort   bool
+		err      error
+	)
+
+	if strings.HasSuffix(a.AppSlugOrPort, "s") {
+		trimmed := strings.TrimSuffix(a.AppSlugOrPort, "s")
+		port, err = strconv.ParseUint(trimmed, 10, 16)
+		if err == nil {
+			protocol = "https"
+			isPort = true
+		}
+	} else {
+		port, err = strconv.ParseUint(a.AppSlugOrPort, 10, 16)
+		if err == nil {
+			protocol = "http"
+			isPort = true
+		}
+	}
+
+	return uint(port), protocol, isPort
+}
+
+func (a *ApplicationURL) ChangePortProtocol(target string) ApplicationURL {
+	newAppURL := *a
+	port, protocol, isPort := a.PortInfo()
+	if !isPort {
+		return newAppURL
+	}
+
+	if target == protocol {
+		return newAppURL
+	}
+
+	if target == "https" {
+		newAppURL.AppSlugOrPort = fmt.Sprintf("%ds", port)
+	}
+
+	if target == "http" {
+		newAppURL.AppSlugOrPort = fmt.Sprintf("%d", port)
+	}
+
+	return newAppURL
+}
+
 // ParseSubdomainAppURL parses an ApplicationURL from the given subdomain. If
 // the subdomain is not a valid application URL hostname, returns a non-nil
 // error. If the hostname is not a subdomain of the given base hostname, returns
Original file line number	Diff line number	Diff line change
`@@ -472,6 +472,7 @@ func (api API) userAuthMethods(rw http.ResponseWriter, r http.Request) {`
`472`	`472`	`}`
`473`	`473`
`474`	`474`	`httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.AuthMethods{`
	`475`	`+ TermsOfServiceURL: api.DeploymentValues.TermsOfServiceURL.Value(),`
`475`	`476`	`Password: codersdk.AuthMethod{`
`476`	`477`	`Enabled: !api.DeploymentValues.DisablePasswordAuth.Value(),`
`477`	`478`	`},`