Closed
Description
Right now we have the --address flag which sets the listen address for Coder. I propose we add a new flag --https-address (CODER_HTTPS_ADDRESS) and change the behavior of coderd to the following:
If neither flag is set or ONLY --address is set, and TLS certs ARE NOT specified:
- Listen on HTTP at
--address(or default)
If neither flag is set or ONLY --address is set, and TLS certs are specified:
- Listen on HTTPS only at
--address(or default)
If --https-address is set and --address is NOT:
- Require that TLS certs are set or fatally exit
- Listen on HTTPS only at
--https-address
If BOTH --https-address and --address are set:
- Require that TLS certs are set or fatally exit
- Listen on HTTPS at
--https-address - Listen on HTTP at
--address
I believe this be backwards compatible by keeping the same behavior around --address on it's own, while only introducing the new behavior when --https-address is specified.
Activity
kylecarbs commentedon Jul 22, 2022
What's the motivation for having both? It'd be nicer to have one, but if customers need both we'll obvs do it.
deansheather commentedon Jul 22, 2022
Well, if we don't support having two listen addresses then coder won't be very useful unless it's behind a reverse proxy that can serve both HTTP and HTTPS or redirect from HTTP to HTTPS. And at that point, there's no point using coder's in built HTTPS support because you could just do it from your reverse proxy...
deansheather commentedon Jul 22, 2022
After we add this flag I'd like to add a flag to redirect from HTTP to HTTPS, which means coder could be used entirely without a reverse proxy and behave sensibly.
ketang commentedon Jul 22, 2022
Is there a situation where a customer would want to serve Coder on both unencrypted HTTP and encrypted HTTPS? I think if the latter is present, they should always redirect HTTP to HTTPS.
deansheather commentedon Jul 22, 2022
That makes sense @ketang but at the moment since coder can only listen on one or the other users are forced to do this with a reverse proxy, which makes the TLS options in coder useless since they'll be doing TLS termination at the reverse proxy. I don't mind changing this issue so if we listen on both we always do a HTTPS redirect from HTTP.
ketang commentedon Jul 31, 2022
Why can Coder only listen on one?
deansheather commentedon Aug 1, 2022
Coder only listens on one right now since we only have one listen address flag. If you don't specify TLS certs then it's a HTTP server, otherwise it's a HTTPS server.
[-]feat: HTTPS listen address flag[/-][+]Add HTTPS listen address flag[/+]jsjoeio commentedon Sep 7, 2022
Sounds like we're experiencing this with dev.coder.com - it doesn't automatically add HTTPS or redirect and therefore I see a broken page.
10 remaining items