From 3f9af6f5e73c13da631f2e3155a28f1ca88261fa Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 10 May 2023 12:19:55 -0500 Subject: [PATCH] chore: Allow cors requests to workspace proxies for latency checks (#7484) * CSP addition for web requests * chore: Add cors to workspace proxies to allow for latency checks --- coderd/httpmw/csp.go | 2 ++ enterprise/wsproxy/wsproxy.go | 15 +++++++++++++++ go.mod | 5 ++++- go.sum | 2 ++ 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/coderd/httpmw/csp.go b/coderd/httpmw/csp.go index b87cb087c0..0721e97963 100644 --- a/coderd/httpmw/csp.go +++ b/coderd/httpmw/csp.go @@ -104,6 +104,8 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han if len(extraConnect) > 0 { for _, extraHost := range extraConnect { cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("wss://%[1]s ws://%[1]s", extraHost)) + // We also require this to make http/https requests to the workspace proxy for latency checking. + cspSrcs.Append(cspDirectiveConnectSrc, fmt.Sprintf("https://%[1]s http://%[1]s", extraHost)) } } diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go index f617f00c05..4032ee9aef 100644 --- a/enterprise/wsproxy/wsproxy.go +++ b/enterprise/wsproxy/wsproxy.go @@ -11,6 +11,7 @@ import ( "time" "github.com/go-chi/chi/v5" + "github.com/go-chi/cors" "github.com/google/uuid" "github.com/prometheus/client_golang/prometheus" "go.opentelemetry.io/otel/trace" @@ -197,6 +198,20 @@ func New(ctx context.Context, opts *Options) (*Server, error) { httpmw.ExtractRealIP(s.Options.RealIPConfig), httpmw.Logger(s.Logger), httpmw.Prometheus(s.PrometheusRegistry), + // The primary coderd dashboard needs to make some GET requests to + // the workspace proxies to check latency. + cors.Handler(cors.Options{ + AllowedOrigins: []string{ + // Allow the dashboard to make requests to the proxy for latency + // checks. + opts.DashboardURL.String(), + }, + // Only allow GET requests for latency checks. + AllowedMethods: []string{http.MethodGet}, + AllowedHeaders: []string{"Accept", "Content-Type"}, + // Do not send any cookies + AllowCredentials: false, + }), // HandleSubdomain is a middleware that handles all requests to the // subdomain-based workspace apps. diff --git a/go.mod b/go.mod index 48e2a3171e..fed0d2b11c 100644 --- a/go.mod +++ b/go.mod @@ -174,7 +174,10 @@ require ( tailscale.com v1.32.2 ) -require github.com/armon/go-radix v1.0.0 // indirect +require ( + github.com/armon/go-radix v1.0.0 // indirect + github.com/go-chi/cors v1.2.1 // indirect +) require ( cloud.google.com/go/compute v1.18.0 // indirect diff --git a/go.sum b/go.sum index 144ef8c06f..46c7093b28 100644 --- a/go.sum +++ b/go.sum @@ -599,6 +599,8 @@ github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs= github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg= github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8= github.com/go-chi/chi/v5 v5.0.7/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= +github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4= +github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58= github.com/go-chi/httprate v0.7.1 h1:d5kXARdms2PREQfU4pHvq44S6hJ1hPu4OXLeBKmCKWs= github.com/go-chi/httprate v0.7.1/go.mod h1:6GOYBSwnpra4CQfAKXu8sQZg+nZ0M1g9QnyFvxrAB8A= github.com/go-chi/render v1.0.1 h1:4/5tis2cKaNdnv9zFLfXzcquC9HbeZgCnxGnKrltBS8=