mirror of https://github.com/coder/coder.git
fix: add `--block-direct-connections` to wsproxies (#12182)
This commit is contained in:
parent
66154f937e
commit
6b0b87eb27
|
@ -880,7 +880,8 @@ when required by your organization's security policy.`,
|
|||
Env: "CODER_BLOCK_DIRECT",
|
||||
Value: &c.DERP.Config.BlockDirect,
|
||||
Group: &deploymentGroupNetworkingDERP,
|
||||
YAML: "blockDirect",
|
||||
YAML: "blockDirect", Annotations: clibase.Annotations{}.
|
||||
Mark(annotationExternalProxies, "true"),
|
||||
},
|
||||
{
|
||||
Name: "DERP Force WebSockets",
|
||||
|
|
|
@ -262,6 +262,7 @@ func (r *RootCmd) proxyServer() *clibase.Cmd {
|
|||
AllowAllCors: cfg.Dangerous.AllowAllCors.Value(),
|
||||
DERPEnabled: cfg.DERP.Server.Enable.Value(),
|
||||
DERPOnly: derpOnly.Value(),
|
||||
BlockDirect: cfg.DERP.Config.BlockDirect.Value(),
|
||||
DERPServerRelayAddress: cfg.DERP.Server.RelayURL.String(),
|
||||
})
|
||||
if err != nil {
|
||||
|
|
|
@ -20,7 +20,7 @@ import (
|
|||
"github.com/coder/coder/v2/testutil"
|
||||
)
|
||||
|
||||
func Test_Headers(t *testing.T) {
|
||||
func Test_ProxyServer_Headers(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
const (
|
||||
|
|
|
@ -34,6 +34,7 @@ type ProxyOptions struct {
|
|||
DisablePathApps bool
|
||||
DerpDisabled bool
|
||||
DerpOnly bool
|
||||
BlockDirect bool
|
||||
|
||||
// ProxyURL is optional
|
||||
ProxyURL *url.URL
|
||||
|
@ -158,6 +159,7 @@ func NewWorkspaceProxyReplica(t *testing.T, coderdAPI *coderd.API, owner *coders
|
|||
DERPOnly: options.DerpOnly,
|
||||
DERPServerRelayAddress: serverURL.String(),
|
||||
StatsCollectorOptions: statsCollectorOptions,
|
||||
BlockDirect: options.BlockDirect,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
t.Cleanup(func() {
|
||||
|
|
|
@ -75,6 +75,9 @@ type Options struct {
|
|||
// DERPOnly determines whether this proxy only provides DERP and does not
|
||||
// provide access to workspace apps/terminal.
|
||||
DERPOnly bool
|
||||
// BlockDirect controls the servertailnet of the proxy, forcing it from
|
||||
// negotiating direct connections.
|
||||
BlockDirect bool
|
||||
|
||||
ProxySessionToken string
|
||||
// AllowAllCors will set all CORs headers to '*'.
|
||||
|
@ -251,7 +254,7 @@ func New(ctx context.Context, opts *Options) (*Server, error) {
|
|||
},
|
||||
regResp.DERPForceWebSockets,
|
||||
s.DialCoordinator,
|
||||
false, // TODO: this will be covered in a subsequent pr.
|
||||
opts.BlockDirect,
|
||||
s.TracerProvider,
|
||||
)
|
||||
if err != nil {
|
||||
|
|
|
@ -615,6 +615,76 @@ func TestWorkspaceProxyWorkspaceApps(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
func TestWorkspaceProxyWorkspaceApps_BlockDirect(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
apptest.Run(t, false, func(t *testing.T, opts *apptest.DeploymentOptions) *apptest.Deployment {
|
||||
deploymentValues := coderdtest.DeploymentValues(t)
|
||||
deploymentValues.DisablePathApps = clibase.Bool(opts.DisablePathApps)
|
||||
deploymentValues.Dangerous.AllowPathAppSharing = clibase.Bool(opts.DangerousAllowPathAppSharing)
|
||||
deploymentValues.Dangerous.AllowPathAppSiteOwnerAccess = clibase.Bool(opts.DangerousAllowPathAppSiteOwnerAccess)
|
||||
deploymentValues.Experiments = []string{
|
||||
"*",
|
||||
}
|
||||
|
||||
proxyStatsCollectorFlushCh := make(chan chan<- struct{}, 1)
|
||||
flushStats := func() {
|
||||
proxyStatsCollectorFlushDone := make(chan struct{}, 1)
|
||||
proxyStatsCollectorFlushCh <- proxyStatsCollectorFlushDone
|
||||
<-proxyStatsCollectorFlushDone
|
||||
}
|
||||
|
||||
if opts.PrimaryAppHost == "" {
|
||||
opts.PrimaryAppHost = "*.primary.test.coder.com"
|
||||
}
|
||||
client, closer, api, user := coderdenttest.NewWithAPI(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
DeploymentValues: deploymentValues,
|
||||
AppHostname: opts.PrimaryAppHost,
|
||||
IncludeProvisionerDaemon: true,
|
||||
RealIPConfig: &httpmw.RealIPConfig{
|
||||
TrustedOrigins: []*net.IPNet{{
|
||||
IP: net.ParseIP("127.0.0.1"),
|
||||
Mask: net.CIDRMask(8, 32),
|
||||
}},
|
||||
TrustedHeaders: []string{
|
||||
"CF-Connecting-IP",
|
||||
},
|
||||
},
|
||||
WorkspaceAppsStatsCollectorOptions: opts.StatsCollectorOptions,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{
|
||||
codersdk.FeatureWorkspaceProxy: 1,
|
||||
},
|
||||
},
|
||||
})
|
||||
t.Cleanup(func() {
|
||||
_ = closer.Close()
|
||||
})
|
||||
|
||||
// Create the external proxy
|
||||
if opts.DisableSubdomainApps {
|
||||
opts.AppHost = ""
|
||||
}
|
||||
proxyAPI := coderdenttest.NewWorkspaceProxyReplica(t, api, client, &coderdenttest.ProxyOptions{
|
||||
Name: "best-proxy",
|
||||
AppHostname: opts.AppHost,
|
||||
DisablePathApps: opts.DisablePathApps,
|
||||
FlushStats: proxyStatsCollectorFlushCh,
|
||||
BlockDirect: true,
|
||||
})
|
||||
|
||||
return &apptest.Deployment{
|
||||
Options: opts,
|
||||
SDKClient: client,
|
||||
FirstUser: user,
|
||||
PathAppBaseURL: proxyAPI.Options.AccessURL,
|
||||
FlushStats: flushStats,
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
// createDERPClient creates a DERP client and spawns a goroutine that reads from
|
||||
// the client and sends the received packets to a channel.
|
||||
//
|
||||
|
|
Loading…
Reference in New Issue