Skip to content

fix: add --block-direct-connections to wsproxies #12182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 8, 2024
Merged

fix: add --block-direct-connections to wsproxies #12182

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion codersdk/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -880,7 +880,8 @@ when required by your organization's security policy.`,
Env: "CODER_BLOCK_DIRECT",
Value: &c.DERP.Config.BlockDirect,
Group: &deploymentGroupNetworkingDERP,
YAML: "blockDirect",
YAML: "blockDirect", Annotations: clibase.Annotations{}.
Mark(annotationExternalProxies, "true"),
},
{
Name: "DERP Force WebSockets",
Expand Down
1 change: 1 addition & 0 deletions enterprise/cli/proxyserver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,7 @@ func (r *RootCmd) proxyServer() *clibase.Cmd {
AllowAllCors: cfg.Dangerous.AllowAllCors.Value(),
DERPEnabled: cfg.DERP.Server.Enable.Value(),
DERPOnly: derpOnly.Value(),
BlockDirect: cfg.DERP.Config.BlockDirect.Value(),
DERPServerRelayAddress: cfg.DERP.Server.RelayURL.String(),
})
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion enterprise/cli/proxyserver_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ import (
"github.com/coder/coder/v2/testutil"
)

func Test_Headers(t *testing.T) {
func Test_ProxyServer_Headers(t *testing.T) {
t.Parallel()

const (
Expand Down
2 changes: 2 additions & 0 deletions enterprise/coderd/coderdenttest/proxytest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ type ProxyOptions struct {
DisablePathApps bool
DerpDisabled bool
DerpOnly bool
BlockDirect bool

// ProxyURL is optional
ProxyURL *url.URL
Expand Down Expand Up @@ -158,6 +159,7 @@ func NewWorkspaceProxyReplica(t *testing.T, coderdAPI *coderd.API, owner *coders
DERPOnly: options.DerpOnly,
DERPServerRelayAddress: serverURL.String(),
StatsCollectorOptions: statsCollectorOptions,
BlockDirect: options.BlockDirect,
})
require.NoError(t, err)
t.Cleanup(func() {
Expand Down
5 changes: 4 additions & 1 deletion enterprise/wsproxy/wsproxy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,9 @@ type Options struct {
// DERPOnly determines whether this proxy only provides DERP and does not
// provide access to workspace apps/terminal.
DERPOnly bool
// BlockDirect controls the servertailnet of the proxy, forcing it from
// negotiating direct connections.
BlockDirect bool

ProxySessionToken string
// AllowAllCors will set all CORs headers to '*'.
Expand Down Expand Up @@ -251,7 +254,7 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
},
regResp.DERPForceWebSockets,
s.DialCoordinator,
false, // TODO: this will be covered in a subsequent pr.
opts.BlockDirect,
s.TracerProvider,
)
if err != nil {
Expand Down
70 changes: 70 additions & 0 deletions enterprise/wsproxy/wsproxy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -615,6 +615,76 @@ func TestWorkspaceProxyWorkspaceApps(t *testing.T) {
})
}

func TestWorkspaceProxyWorkspaceApps_BlockDirect(t *testing.T) {
t.Parallel()

apptest.Run(t, false, func(t *testing.T, opts *apptest.DeploymentOptions) *apptest.Deployment {
deploymentValues := coderdtest.DeploymentValues(t)
deploymentValues.DisablePathApps = clibase.Bool(opts.DisablePathApps)
deploymentValues.Dangerous.AllowPathAppSharing = clibase.Bool(opts.DangerousAllowPathAppSharing)
deploymentValues.Dangerous.AllowPathAppSiteOwnerAccess = clibase.Bool(opts.DangerousAllowPathAppSiteOwnerAccess)
deploymentValues.Experiments = []string{
"*",
}

proxyStatsCollectorFlushCh := make(chan chan<- struct{}, 1)
flushStats := func() {
proxyStatsCollectorFlushDone := make(chan struct{}, 1)
proxyStatsCollectorFlushCh <- proxyStatsCollectorFlushDone
<-proxyStatsCollectorFlushDone
}

if opts.PrimaryAppHost == "" {
opts.PrimaryAppHost = "*.primary.test.coder.com"
}
client, closer, api, user := coderdenttest.NewWithAPI(t, &coderdenttest.Options{
Options: &coderdtest.Options{
DeploymentValues: deploymentValues,
AppHostname: opts.PrimaryAppHost,
IncludeProvisionerDaemon: true,
RealIPConfig: &httpmw.RealIPConfig{
TrustedOrigins: []*net.IPNet{{
IP: net.ParseIP("127.0.0.1"),
Mask: net.CIDRMask(8, 32),
}},
TrustedHeaders: []string{
"CF-Connecting-IP",
},
},
WorkspaceAppsStatsCollectorOptions: opts.StatsCollectorOptions,
},
LicenseOptions: &coderdenttest.LicenseOptions{
Features: license.Features{
codersdk.FeatureWorkspaceProxy: 1,
},
},
})
t.Cleanup(func() {
_ = closer.Close()
})

// Create the external proxy
if opts.DisableSubdomainApps {
opts.AppHost = ""
}
proxyAPI := coderdenttest.NewWorkspaceProxyReplica(t, api, client, &coderdenttest.ProxyOptions{
Name: "best-proxy",
AppHostname: opts.AppHost,
DisablePathApps: opts.DisablePathApps,
FlushStats: proxyStatsCollectorFlushCh,
BlockDirect: true,
})

return &apptest.Deployment{
Options: opts,
SDKClient: client,
FirstUser: user,
PathAppBaseURL: proxyAPI.Options.AccessURL,
FlushStats: flushStats,
}
})
}

// createDERPClient creates a DERP client and spawns a goroutine that reads from
// the client and sends the received packets to a channel.
//
Expand Down