From 9afc8be82bc1b8367b95269d4f1fe2ffaff69ca4 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 10 May 2023 11:22:50 -0500 Subject: [PATCH 1/5] CSP addition for web requests --- coderd/httpmw/csp.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/coderd/httpmw/csp.go b/coderd/httpmw/csp.go index b87cb087c0d57..b6cb8d8b6ffb5 100644 --- a/coderd/httpmw/csp.go +++ b/coderd/httpmw/csp.go @@ -104,6 +104,8 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han if len(extraConnect) > 0 { for _, extraHost := range extraConnect { cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("wss://%[1]s ws://%[1]s", extraHost)) + // We also require this to make http/https requests to the workspace proxy for latenecy checking. + cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("https://%[1]s http://%[1]s", extraHost)) } } From 0c6bc96d69cc4c9896fc26e61578a5bb46779045 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 10 May 2023 11:33:29 -0500 Subject: [PATCH 2/5] chore: Add cors to workspace proxies to allow for latency checks --- enterprise/wsproxy/wsproxy.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go index f617f00c0581a..8d8655548e6c1 100644 --- a/enterprise/wsproxy/wsproxy.go +++ b/enterprise/wsproxy/wsproxy.go @@ -10,6 +10,8 @@ import ( "strings" "time" + "github.com/go-chi/cors" + "github.com/go-chi/chi/v5" "github.com/google/uuid" "github.com/prometheus/client_golang/prometheus" @@ -197,6 +199,20 @@ func New(ctx context.Context, opts *Options) (*Server, error) { httpmw.ExtractRealIP(s.Options.RealIPConfig), httpmw.Logger(s.Logger), httpmw.Prometheus(s.PrometheusRegistry), + // The primary coderd dashboard needs to make some GET requests to + // the workspace proxies to check latency. + cors.Handler(cors.Options{ + AllowedOrigins: []string{ + // Allow the dashboard to make requests to the proxy for latency + // checks. + opts.DashboardURL.String(), + }, + // Only allow GET requests for latency checks. + AllowedMethods: []string{http.MethodGet}, + AllowedHeaders: []string{"Accept", "Content-Type"}, + // Do not send any cookies + AllowCredentials: false, + }), // HandleSubdomain is a middleware that handles all requests to the // subdomain-based workspace apps. From f1f3fc88f8f4e3a24e6b743928633c049c761ce2 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 10 May 2023 11:37:07 -0500 Subject: [PATCH 3/5] Add cors dep --- go.mod | 5 ++++- go.sum | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 48e2a3171e9a8..fed0d2b11cd01 100644 --- a/go.mod +++ b/go.mod @@ -174,7 +174,10 @@ require ( tailscale.com v1.32.2 ) -require github.com/armon/go-radix v1.0.0 // indirect +require ( + github.com/armon/go-radix v1.0.0 // indirect + github.com/go-chi/cors v1.2.1 // indirect +) require ( cloud.google.com/go/compute v1.18.0 // indirect diff --git a/go.sum b/go.sum index 144ef8c06f62f..46c7093b28a0c 100644 --- a/go.sum +++ b/go.sum @@ -599,6 +599,8 @@ github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs= github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg= github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8= github.com/go-chi/chi/v5 v5.0.7/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4= +github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58= github.com/go-chi/httprate v0.7.1 h1:d5kXARdms2PREQfU4pHvq44S6hJ1hPu4OXLeBKmCKWs= github.com/go-chi/httprate v0.7.1/go.mod h1:6GOYBSwnpra4CQfAKXu8sQZg+nZ0M1g9QnyFvxrAB8A= github.com/go-chi/render v1.0.1 h1:4/5tis2cKaNdnv9zFLfXzcquC9HbeZgCnxGnKrltBS8= From 3056730829ab3b715853ca162f1a185275d3b964 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 10 May 2023 11:38:49 -0500 Subject: [PATCH 4/5] Fix imports --- enterprise/wsproxy/wsproxy.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go index 8d8655548e6c1..4032ee9aefd03 100644 --- a/enterprise/wsproxy/wsproxy.go +++ b/enterprise/wsproxy/wsproxy.go @@ -10,9 +10,8 @@ import ( "strings" "time" - "github.com/go-chi/cors" - "github.com/go-chi/chi/v5" + "github.com/go-chi/cors" "github.com/google/uuid" "github.com/prometheus/client_golang/prometheus" "go.opentelemetry.io/otel/trace" From 454a5c045575e316da9c48c777ee10ba39580fda Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 10 May 2023 11:58:27 -0500 Subject: [PATCH 5/5] Fix typo --- coderd/httpmw/csp.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coderd/httpmw/csp.go b/coderd/httpmw/csp.go index b6cb8d8b6ffb5..0721e979635b7 100644 --- a/coderd/httpmw/csp.go +++ b/coderd/httpmw/csp.go @@ -104,7 +104,7 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han if len(extraConnect) > 0 { for _, extraHost := range extraConnect { cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("wss://%[1]s ws://%[1]s", extraHost)) - // We also require this to make http/https requests to the workspace proxy for latenecy checking. + // We also require this to make http/https requests to the workspace proxy for latency checking. cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("https://%[1]s http://%[1]s", extraHost)) } }