fix: add --block-direct-connections to wsproxies

coadler · coadler · commit e2dd09310978 · 2024-02-15T23:52:47.000Z
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -880,7 +880,8 @@ when required by your organization's security policy.`,
 			Env:   "CODER_BLOCK_DIRECT",
 			Value: &c.DERP.Config.BlockDirect,
 			Group: &deploymentGroupNetworkingDERP,
-			YAML:  "blockDirect",
+			YAML:  "blockDirect", Annotations: clibase.Annotations{}.
+				Mark(annotationExternalProxies, "true"),
 		},
 		{
 			Name:        "DERP Force WebSockets",
diff --git a/enterprise/cli/proxyserver.go b/enterprise/cli/proxyserver.go
@@ -262,6 +262,7 @@ func (r *RootCmd) proxyServer() *clibase.Cmd {
 				AllowAllCors:           cfg.Dangerous.AllowAllCors.Value(),
 				DERPEnabled:            cfg.DERP.Server.Enable.Value(),
 				DERPOnly:               derpOnly.Value(),
+				BlockDirect:            cfg.DERP.Config.BlockDirect.Value(),
 				DERPServerRelayAddress: cfg.DERP.Server.RelayURL.String(),
 			})
 			if err != nil {
diff --git a/enterprise/cli/proxyserver_test.go b/enterprise/cli/proxyserver_test.go
@@ -13,7 +13,7 @@ import (
 	"github.com/coder/coder/v2/pty/ptytest"
 )
 
-func Test_Headers(t *testing.T) {
+func Test_ProxyServer_Headers(t *testing.T) {
 	t.Parallel()
 
 	const (
diff --git a/enterprise/coderd/coderdenttest/proxytest.go b/enterprise/coderd/coderdenttest/proxytest.go
@@ -34,6 +34,7 @@ type ProxyOptions struct {
 	DisablePathApps bool
 	DerpDisabled    bool
 	DerpOnly        bool
+	BlockDirect     bool
 
 	// ProxyURL is optional
 	ProxyURL *url.URL
@@ -140,6 +141,7 @@ func NewWorkspaceProxy(t *testing.T, coderdAPI *coderd.API, owner *codersdk.Clie
 		DERPOnly:               options.DerpOnly,
 		DERPServerRelayAddress: accessURL.String(),
 		StatsCollectorOptions:  statsCollectorOptions,
+		BlockDirect:            options.BlockDirect,
 	})
 	require.NoError(t, err)
 	t.Cleanup(func() {
diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go
@@ -75,6 +75,9 @@ type Options struct {
 	// DERPOnly determines whether this proxy only provides DERP and does not
 	// provide access to workspace apps/terminal.
 	DERPOnly bool
+	// BlockDirect controls the servertailnet of the proxy, forcing it from
+	// negotiating direct connections.
+	BlockDirect bool
 
 	ProxySessionToken string
 	// AllowAllCors will set all CORs headers to '*'.
@@ -250,7 +253,7 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
 		},
 		regResp.DERPForceWebSockets,
 		s.DialCoordinator,
-		false, // TODO: this will be covered in a subsequent pr.
+		opts.BlockDirect,
 		s.TracerProvider,
 	)
 	if err != nil {
diff --git a/enterprise/wsproxy/wsproxy_test.go b/enterprise/wsproxy/wsproxy_test.go
@@ -498,3 +498,73 @@ func TestWorkspaceProxyWorkspaceApps(t *testing.T) {
 		}
 	})
 }
+
+func TestWorkspaceProxyWorkspaceApps_BlockDirect(t *testing.T) {
+	t.Parallel()
+
+	apptest.Run(t, false, func(t *testing.T, opts *apptest.DeploymentOptions) *apptest.Deployment {
+		deploymentValues := coderdtest.DeploymentValues(t)
+		deploymentValues.DisablePathApps = clibase.Bool(opts.DisablePathApps)
+		deploymentValues.Dangerous.AllowPathAppSharing = clibase.Bool(opts.DangerousAllowPathAppSharing)
+		deploymentValues.Dangerous.AllowPathAppSiteOwnerAccess = clibase.Bool(opts.DangerousAllowPathAppSiteOwnerAccess)
+		deploymentValues.Experiments = []string{
+			"*",
+		}
+
+		proxyStatsCollectorFlushCh := make(chan chan<- struct{}, 1)
+		flushStats := func() {
+			proxyStatsCollectorFlushDone := make(chan struct{}, 1)
+			proxyStatsCollectorFlushCh <- proxyStatsCollectorFlushDone
+			<-proxyStatsCollectorFlushDone
+		}
+
+		if opts.PrimaryAppHost == "" {
+			opts.PrimaryAppHost = "*.primary.test.coder.com"
+		}
+		client, closer, api, user := coderdenttest.NewWithAPI(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				DeploymentValues:         deploymentValues,
+				AppHostname:              opts.PrimaryAppHost,
+				IncludeProvisionerDaemon: true,
+				RealIPConfig: &httpmw.RealIPConfig{
+					TrustedOrigins: []*net.IPNet{{
+						IP:   net.ParseIP("127.0.0.1"),
+						Mask: net.CIDRMask(8, 32),
+					}},
+					TrustedHeaders: []string{
+						"CF-Connecting-IP",
+					},
+				},
+				WorkspaceAppsStatsCollectorOptions: opts.StatsCollectorOptions,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureWorkspaceProxy: 1,
+				},
+			},
+		})
+		t.Cleanup(func() {
+			_ = closer.Close()
+		})
+
+		// Create the external proxy
+		if opts.DisableSubdomainApps {
+			opts.AppHost = ""
+		}
+		proxyAPI := coderdenttest.NewWorkspaceProxy(t, api, client, &coderdenttest.ProxyOptions{
+			Name:            "best-proxy",
+			AppHostname:     opts.AppHost,
+			DisablePathApps: opts.DisablePathApps,
+			FlushStats:      proxyStatsCollectorFlushCh,
+			BlockDirect:     true,
+		})
+
+		return &apptest.Deployment{
+			Options:        opts,
+			SDKClient:      client,
+			FirstUser:      user,
+			PathAppBaseURL: proxyAPI.Options.AccessURL,
+			FlushStats:     flushStats,
+		}
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ import (`
`13`	`13`	`"github.com/coder/coder/v2/pty/ptytest"`
`14`	`14`	`)`
`15`	`15`
`16`		`-func Test_Headers(t *testing.T) {`
	`16`	`+func Test_ProxyServer_Headers(t *testing.T) {`
`17`	`17`	`t.Parallel()`
`18`	`18`
`19`	`19`	`const (`