coder
diff --git a/‎agent/agent.go
Lines changed: 12 additions & 9 deletions b/‎agent/agent.go
Lines changed: 12 additions & 9 deletions
diff --git a/‎cli/netcheck_test.go
Lines changed: 1 addition & 1 deletion b/‎cli/netcheck_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 7 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 7 additions & 0 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 6 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 9 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 9 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 9 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 9 additions & 0 deletions
diff --git a/‎coderd/coderd_test.go
Lines changed: 97 additions & 0 deletions b/‎coderd/coderd_test.go
Lines changed: 97 additions & 0 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderdtest/coderdtest.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/oauthpki/oidcpki.go
Lines changed: 2 additions & 3 deletions b/‎coderd/oauthpki/oidcpki.go
Lines changed: 2 additions & 3 deletions
diff --git a/‎coderd/workspaceagents.go
Lines changed: 3 additions & 0 deletions b/‎coderd/workspaceagents.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎codersdk/agentsdk/agentsdk.go
Lines changed: 1 addition & 0 deletions b/‎codersdk/agentsdk/agentsdk.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎codersdk/deployment.go
Lines changed: 13 additions & 3 deletions b/‎codersdk/deployment.go
Lines changed: 13 additions & 3 deletions
diff --git a/‎codersdk/workspaceagents.go
Lines changed: 7 additions & 5 deletions b/‎codersdk/workspaceagents.go
Lines changed: 7 additions & 5 deletions
@@ -678,7 +678,7 @@ func (a *agent) run(ctx context.Context) error {
 	network := a.network
 	a.closeMutex.Unlock()
 	if network == nil {
-		network, err = a.createTailnet(ctx, manifest.AgentID, manifest.DERPMap, manifest.DisableDirectConnections)
+		network, err = a.createTailnet(ctx, manifest.AgentID, manifest.DERPMap, manifest.DERPForceWebSockets, manifest.DisableDirectConnections)
 		if err != nil {
 			return xerrors.Errorf("create tailnet: %w", err)
 		}
@@ -701,8 +701,10 @@ func (a *agent) run(ctx context.Context) error {
 		if err != nil {
 			a.logger.Error(ctx, "update tailnet addresses", slog.Error(err))
 		}
-		// Update the DERP map and allow/disallow direct connections.
+		// Update the DERP map, force WebSocket setting and allow/disallow
+		// direct connections.
 		network.SetDERPMap(manifest.DERPMap)
+		network.SetDERPForceWebSockets(manifest.DERPForceWebSockets)
 		network.SetBlockEndpoints(manifest.DisableDirectConnections)
 	}
 
@@ -756,14 +758,15 @@ func (a *agent) trackConnGoroutine(fn func()) error {
 	return nil
 }
 
-func (a *agent) createTailnet(ctx context.Context, agentID uuid.UUID, derpMap *tailcfg.DERPMap, disableDirectConnections bool) (_ *tailnet.Conn, err error) {
+func (a *agent) createTailnet(ctx context.Context, agentID uuid.UUID, derpMap *tailcfg.DERPMap, derpForceWebSockets, disableDirectConnections bool) (_ *tailnet.Conn, err error) {
 	network, err := tailnet.NewConn(&tailnet.Options{
-		ID:             agentID,
-		Addresses:      a.wireguardAddresses(agentID),
-		DERPMap:        derpMap,
-		Logger:         a.logger.Named("net.tailnet"),
-		ListenPort:     a.tailnetListenPort,
-		BlockEndpoints: disableDirectConnections,
+		ID:                  agentID,
+		Addresses:           a.wireguardAddresses(agentID),
+		DERPMap:             derpMap,
+		DERPForceWebSockets: derpForceWebSockets,
+		Logger:              a.logger.Named("net.tailnet"),
+		ListenPort:          a.tailnetListenPort,
+		BlockEndpoints:      disableDirectConnections,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create tailnet: %w", err)
 
@@ -31,7 +31,7 @@ func TestNetcheck(t *testing.T) {
 	require.NoError(t, json.Unmarshal(b, &report))
 
 	assert.True(t, report.Healthy)
-	require.Len(t, report.Regions, 1+5) // 1 built-in region + 5 STUN regions by default
+	require.Len(t, report.Regions, 1+1) // 1 built-in region + 1 test-managed STUN region
 	for _, v := range report.Regions {
 		require.Len(t, v.NodeReports, len(v.Region.Nodes))
 	}
 
@@ -172,6 +172,13 @@ backed by Tailscale and WireGuard.
           URL to fetch a DERP mapping on startup. See:
           https://tailscale.com/kb/1118/custom-derp-servers/.
 
+      --derp-force-websockets bool, $CODER_DERP_FORCE_WEBSOCKETS
+          Force clients and agents to always use WebSocket to connect to DERP
+          relay servers. By default, DERP uses `Upgrade: derp`, which may cause
+          issues with some reverse proxies. Clients may automatically fallback
+          to WebSocket if they detect an issue with `Upgrade: derp`, but this
+          does not work in all situations.
+
       --derp-server-enable bool, $CODER_DERP_SERVER_ENABLE (default: true)
           Whether to enable or disable the embedded DERP relay server.
 
 
@@ -136,6 +136,12 @@ networking:
     # this change has been made, but new connections will still be proxied regardless.
     # (default: <unset>, type: bool)
     blockDirect: false
+    # Force clients and agents to always use WebSocket to connect to DERP relay
+    # servers. By default, DERP uses `Upgrade: derp`, which may cause issues with some
+    # reverse proxies. Clients may automatically fallback to WebSocket if they detect
+    # an issue with `Upgrade: derp`, but this does not work in all situations.
+    # (default: <unset>, type: bool)
+    forceWebSockets: false
     # URL to fetch a DERP mapping on startup. See:
     # https://tailscale.com/kb/1118/custom-derp-servers/.
     # (default: <unset>, type: string)
 
@@ -6,9 +6,13 @@ import (
 	"net/http"
 	"net/netip"
 	"strconv"
+	"strings"
 	"sync"
+	"sync/atomic"
 	"testing"
 
+	"github.com/davecgh/go-spew/spew"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
@@ -17,8 +21,13 @@ import (
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"
 
+	"github.com/coder/coder/v2/agent"
 	"github.com/coder/coder/v2/buildinfo"
+	"github.com/coder/coder/v2/coderd"
 	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/codersdk/agentsdk"
+	"github.com/coder/coder/v2/provisioner/echo"
 	"github.com/coder/coder/v2/tailnet"
 	"github.com/coder/coder/v2/testutil"
 )
@@ -115,6 +124,94 @@ func TestDERP(t *testing.T) {
 	w2.Close()
 }
 
+func TestDERPForceWebSockets(t *testing.T) {
+	t.Parallel()
+
+	dv := coderdtest.DeploymentValues(t)
+	dv.DERP.Config.ForceWebSockets = true
+	dv.DERP.Config.BlockDirect = true // to ensure the test always uses DERP
+
+	// Manually create a server so we can influence the HTTP handler.
+	options := &coderdtest.Options{
+		DeploymentValues:         dv,
+		IncludeProvisionerDaemon: true,
+	}
+	setHandler, cancelFunc, serverURL, newOptions := coderdtest.NewOptions(t, options)
+	coderAPI := coderd.New(newOptions)
+	t.Cleanup(func() {
+		cancelFunc()
+		_ = coderAPI.Close()
+	})
+
+	// Set the HTTP handler to a custom one that ensures all /derp calls are
+	// WebSockets and not `Upgrade: derp`.
+	var upgradeCount int64
+	setHandler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		if strings.HasPrefix(r.URL.Path, "/derp") {
+			up := r.Header.Get("Upgrade")
+			if up != "" && up != "websocket" {
+				t.Errorf("expected Upgrade: websocket, got %q", up)
+			} else {
+				atomic.AddInt64(&upgradeCount, 1)
+			}
+		}
+
+		coderAPI.RootHandler.ServeHTTP(rw, r)
+	}))
+
+	// Start a provisioner daemon.
+	if options.IncludeProvisionerDaemon {
+		provisionerCloser := coderdtest.NewProvisionerDaemon(t, coderAPI)
+		t.Cleanup(func() {
+			_ = provisionerCloser.Close()
+		})
+	}
+
+	client := codersdk.New(serverURL)
+	t.Cleanup(func() {
+		client.HTTPClient.CloseIdleConnections()
+	})
+	user := coderdtest.CreateFirstUser(t, client)
+
+	gen, err := client.WorkspaceAgentConnectionInfoGeneric(context.Background())
+	require.NoError(t, err)
+	t.Log(spew.Sdump(gen))
+
+	authToken := uuid.NewString()
+	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+		Parse:          echo.ParseComplete,
+		ProvisionPlan:  echo.ProvisionComplete,
+		ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
+	})
+	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+	agentClient := agentsdk.New(client.URL)
+	agentClient.SetSessionToken(authToken)
+	agentCloser := agent.New(agent.Options{
+		Client: agentClient,
+		Logger: slogtest.Make(t, nil).Named("agent").Leveled(slog.LevelDebug),
+	})
+	defer func() {
+		_ = agentCloser.Close()
+	}()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+
+	resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+	conn, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
+	require.NoError(t, err)
+	defer func() {
+		_ = conn.Close()
+	}()
+	conn.AwaitReachable(ctx)
+
+	require.GreaterOrEqual(t, atomic.LoadInt64(&upgradeCount), int64(1), "expected at least one /derp call")
+}
+
 func TestDERPLatencyCheck(t *testing.T) {
 	t.Parallel()
 	client := coderdtest.New(t, nil)
 
@@ -326,7 +326,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		stunAddresses   []string
 		dvStunAddresses = options.DeploymentValues.DERP.Server.STUNAddresses.Value()
 	)
-	if len(dvStunAddresses) == 0 || (len(dvStunAddresses) == 1 && dvStunAddresses[0] == "stun.l.google.com:19302") {
+	if len(dvStunAddresses) == 0 || dvStunAddresses[0] == "stun.l.google.com:19302" {
 		stunAddr, stunCleanup := stuntest.ServeWithPacketListener(t, nettype.Std{})
 		stunAddr.IP = net.ParseIP("127.0.0.1")
 		t.Cleanup(stunCleanup)
 
@@ -8,7 +8,6 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
-	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -243,7 +242,7 @@ func (src *jwtTokenSource) Token() (*oauth2.Token, error) {
 	}
 
 	if unmarshalError != nil {
-		return nil, fmt.Errorf("oauth2: cannot unmarshal token: %w", err)
+		return nil, xerrors.Errorf("oauth2: cannot unmarshal token: %w", err)
 	}
 
 	newToken := &oauth2.Token{
@@ -264,7 +263,7 @@ func (src *jwtTokenSource) Token() (*oauth2.Token, error) {
 		// decode returned id token to get expiry
 		claimSet, err := jws.Decode(v)
 		if err != nil {
-			return nil, fmt.Errorf("oauth2: error decoding JWT token: %w", err)
+			return nil, xerrors.Errorf("oauth2: error decoding JWT token: %w", err)
 		}
 		newToken.Expiry = time.Unix(claimSet.Exp, 0)
 	}
 
@@ -167,6 +167,7 @@ func (api *API) workspaceAgentManifest(rw http.ResponseWriter, r *http.Request)
 		AgentID:                  apiAgent.ID,
 		Apps:                     convertApps(dbApps),
 		DERPMap:                  api.DERPMap(),
+		DERPForceWebSockets:      api.DeploymentValues.DERP.Config.ForceWebSockets.Value(),
 		GitAuthConfigs:           len(api.GitAuthConfigs),
 		EnvironmentVariables:     apiAgent.EnvironmentVariables,
 		StartupScript:            apiAgent.StartupScript,
@@ -831,6 +832,7 @@ func (api *API) workspaceAgentConnection(rw http.ResponseWriter, r *http.Request
 
 	httpapi.Write(ctx, rw, http.StatusOK, codersdk.WorkspaceAgentConnectionInfo{
 		DERPMap:                  api.DERPMap(),
+		DERPForceWebSockets:      api.DeploymentValues.DERP.Config.ForceWebSockets.Value(),
 		DisableDirectConnections: api.DeploymentValues.DERP.Config.BlockDirect.Value(),
 	})
 }
@@ -851,6 +853,7 @@ func (api *API) workspaceAgentConnectionGeneric(rw http.ResponseWriter, r *http.
 
 	httpapi.Write(ctx, rw, http.StatusOK, codersdk.WorkspaceAgentConnectionInfo{
 		DERPMap:                  api.DERPMap(),
+		DERPForceWebSockets:      api.DeploymentValues.DERP.Config.ForceWebSockets.Value(),
 		DisableDirectConnections: api.DeploymentValues.DERP.Config.BlockDirect.Value(),
 	})
 }
 
@@ -89,6 +89,7 @@ type Manifest struct {
 	VSCodePortProxyURI       string                                       `json:"vscode_port_proxy_uri"`
 	Apps                     []codersdk.WorkspaceApp                      `json:"apps"`
 	DERPMap                  *tailcfg.DERPMap                             `json:"derpmap"`
+	DERPForceWebSockets      bool                                         `json:"derp_force_websockets"`
 	EnvironmentVariables     map[string]string                            `json:"environment_variables"`
 	StartupScript            string                                       `json:"startup_script"`
 	StartupScriptTimeout     time.Duration                                `json:"startup_script_timeout"`
 
@@ -228,9 +228,10 @@ type DERPServerConfig struct {
 }
 
 type DERPConfig struct {
-	BlockDirect clibase.Bool   `json:"block_direct" typescript:",notnull"`
-	URL         clibase.String `json:"url" typescript:",notnull"`
-	Path        clibase.String `json:"path" typescript:",notnull"`
+	BlockDirect     clibase.Bool   `json:"block_direct" typescript:",notnull"`
+	ForceWebSockets clibase.Bool   `json:"force_websockets" typescript:",notnull"`
+	URL             clibase.String `json:"url" typescript:",notnull"`
+	Path            clibase.String `json:"path" typescript:",notnull"`
 }
 
 type PrometheusConfig struct {
@@ -796,6 +797,15 @@ when required by your organization's security policy.`,
 			Group: &deploymentGroupNetworkingDERP,
 			YAML:  "blockDirect",
 		},
+		{
+			Name:        "DERP Force WebSockets",
+			Description: "Force clients and agents to always use WebSocket to connect to DERP relay servers. By default, DERP uses `Upgrade: derp`, which may cause issues with some reverse proxies. Clients may automatically fallback to WebSocket if they detect an issue with `Upgrade: derp`, but this does not work in all situations.",
+			Flag:        "derp-force-websockets",
+			Env:         "CODER_DERP_FORCE_WEBSOCKETS",
+			Value:       &c.DERP.Config.ForceWebSockets,
+			Group:       &deploymentGroupNetworkingDERP,
+			YAML:        "forceWebSockets",
+		},
 		{
 			Name:        "DERP Config URL",
 			Description: "URL to fetch a DERP mapping on startup. See: https://tailscale.com/kb/1118/custom-derp-servers/.",
 
@@ -186,6 +186,7 @@ type DERPRegion struct {
 // @typescript-ignore WorkspaceAgentConnectionInfo
 type WorkspaceAgentConnectionInfo struct {
 	DERPMap                  *tailcfg.DERPMap `json:"derp_map"`
+	DERPForceWebSockets      bool             `json:"derp_force_websockets"`
 	DisableDirectConnections bool             `json:"disable_direct_connections"`
 }
 
@@ -247,11 +248,12 @@ func (c *Client) DialWorkspaceAgent(ctx context.Context, agentID uuid.UUID, opti
 		header = headerTransport.Header()
 	}
 	conn, err := tailnet.NewConn(&tailnet.Options{
-		Addresses:      []netip.Prefix{netip.PrefixFrom(ip, 128)},
-		DERPMap:        connInfo.DERPMap,
-		DERPHeader:     &header,
-		Logger:         options.Logger,
-		BlockEndpoints: c.DisableDirectConnections || options.BlockEndpoints,
+		Addresses:           []netip.Prefix{netip.PrefixFrom(ip, 128)},
+		DERPMap:             connInfo.DERPMap,
+		DERPHeader:          &header,
+		DERPForceWebSockets: connInfo.DERPForceWebSockets,
+		Logger:              options.Logger,
+		BlockEndpoints:      c.DisableDirectConnections || options.BlockEndpoints,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create tailnet: %w", err)
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ func TestNetcheck(t *testing.T) {`
`31`	`31`	`require.NoError(t, json.Unmarshal(b, &report))`
`32`	`32`
`33`	`33`	`assert.True(t, report.Healthy)`
`34`		`- require.Len(t, report.Regions, 1+5) // 1 built-in region + 5 STUN regions by default`
	`34`	`+ require.Len(t, report.Regions, 1+1) // 1 built-in region + 1 test-managed STUN region`
`35`	`35`	`for _, v := range report.Regions {`
`36`	`36`	`require.Len(t, v.NodeReports, len(v.Region.Nodes))`
`37`	`37`	`}`
Original file line number	Diff line number	Diff line change
`@@ -326,7 +326,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`326`	`326`	`stunAddresses []string`
`327`	`327`	`dvStunAddresses = options.DeploymentValues.DERP.Server.STUNAddresses.Value()`
`328`	`328`	`)`
`329`		`- if len(dvStunAddresses) == 0 \|\| (len(dvStunAddresses) == 1 && dvStunAddresses[0] == "stun.l.google.com:19302") {`
	`329`	`+ if len(dvStunAddresses) == 0 \|\| dvStunAddresses[0] == "stun.l.google.com:19302" {`
`330`	`330`	`stunAddr, stunCleanup := stuntest.ServeWithPacketListener(t, nettype.Std{})`
`331`	`331`	`stunAddr.IP = net.ParseIP("127.0.0.1")`
`332`	`332`	`t.Cleanup(stunCleanup)`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,6 @@ import (`
`8`	`8`	`"encoding/base64"`
`9`	`9`	`"encoding/json"`
`10`	`10`	`"encoding/pem"`
`11`		`- "fmt"`
`12`	`11`	`"io"`
`13`	`12`	`"net/http"`
`14`	`13`	`"net/url"`
`@@ -243,7 +242,7 @@ func (src jwtTokenSource) Token() (oauth2.Token, error) {`
`243`	`242`	`}`
`244`	`243`
`245`	`244`	`if unmarshalError != nil {`
`246`		`- return nil, fmt.Errorf("oauth2: cannot unmarshal token: %w", err)`
	`245`	`+ return nil, xerrors.Errorf("oauth2: cannot unmarshal token: %w", err)`
`247`	`246`	`}`
`248`	`247`
`249`	`248`	`newToken := &oauth2.Token{`
`@@ -264,7 +263,7 @@ func (src jwtTokenSource) Token() (oauth2.Token, error) {`
`264`	`263`	`// decode returned id token to get expiry`
`265`	`264`	`claimSet, err := jws.Decode(v)`
`266`	`265`	`if err != nil {`
`267`		`- return nil, fmt.Errorf("oauth2: error decoding JWT token: %w", err)`
	`266`	`+ return nil, xerrors.Errorf("oauth2: error decoding JWT token: %w", err)`
`268`	`267`	`}`
`269`	`268`	`newToken.Expiry = time.Unix(claimSet.Exp, 0)`
`270`	`269`	`}`