feat: add flag to disable all direct connections (#7936)

codersdk/agentsdk/agentsdk.go

@@ -87,18 +87,19 @@ type Manifest struct {
 	// GitAuthConfigs stores the number of Git configurations
 	// the Coder deployment has. If this number is >0, we
 	// set up special configuration in the workspace.
-	GitAuthConfigs        int                                          `json:"git_auth_configs"`
-	VSCodePortProxyURI    string                                       `json:"vscode_port_proxy_uri"`
-	Apps                  []codersdk.WorkspaceApp                      `json:"apps"`
-	DERPMap               *tailcfg.DERPMap                             `json:"derpmap"`
-	EnvironmentVariables  map[string]string                            `json:"environment_variables"`
-	StartupScript         string                                       `json:"startup_script"`
-	StartupScriptTimeout  time.Duration                                `json:"startup_script_timeout"`
-	Directory             string                                       `json:"directory"`
-	MOTDFile              string                                       `json:"motd_file"`
-	ShutdownScript        string                                       `json:"shutdown_script"`
-	ShutdownScriptTimeout time.Duration                                `json:"shutdown_script_timeout"`
-	Metadata              []codersdk.WorkspaceAgentMetadataDescription `json:"metadata"`
+	GitAuthConfigs           int                                          `json:"git_auth_configs"`
+	VSCodePortProxyURI       string                                       `json:"vscode_port_proxy_uri"`
+	Apps                     []codersdk.WorkspaceApp                      `json:"apps"`
+	DERPMap                  *tailcfg.DERPMap                             `json:"derpmap"`
+	EnvironmentVariables     map[string]string                            `json:"environment_variables"`
+	StartupScript            string                                       `json:"startup_script"`
+	StartupScriptTimeout     time.Duration                                `json:"startup_script_timeout"`
+	Directory                string                                       `json:"directory"`
+	MOTDFile                 string                                       `json:"motd_file"`
+	ShutdownScript           string                                       `json:"shutdown_script"`
+	ShutdownScriptTimeout    time.Duration                                `json:"shutdown_script_timeout"`
+	DisableDirectConnections bool                                         `json:"disable_direct_connections"`
+	Metadata                 []codersdk.WorkspaceAgentMetadataDescription `json:"metadata"`
 }
 
 // Manifest fetches manifest for the currently authenticated workspace agent.

codersdk/deployment.go

@@ -221,8 +221,9 @@ type DERPServerConfig struct {
 }
 
 type DERPConfig struct {
-	URL  clibase.String `json:"url" typescript:",notnull"`
-	Path clibase.String `json:"path" typescript:",notnull"`
+	BlockDirect clibase.Bool   `json:"block_direct" typescript:",notnull"`
+	URL         clibase.String `json:"url" typescript:",notnull"`
+	Path        clibase.String `json:"path" typescript:",notnull"`
 }
 
 type PrometheusConfig struct {
@@ -711,6 +712,18 @@ when required by your organization's security policy.`,
 			Group:       &deploymentGroupNetworkingDERP,
 			YAML:        "relayURL",
 		},
+		{
+			Name:        "Block Direct Connections",
+			Description: "Block peer-to-peer (aka. direct) workspace connections. All workspace connections from the CLI will be proxied through Coder (or custom configured DERP servers) and will never be peer-to-peer when enabled. Workspaces may still reach out to STUN servers to get their address until they are restarted after this change has been made, but new connections will still be proxied regardless.",
+			// This cannot be called `disable-direct-connections` because that's
+			// already a global CLI flag for CLI connections. This is a
+			// deployment-wide flag.
+			Flag:  "block-direct-connections",
+			Env:   "CODER_BLOCK_DIRECT",
+			Value: &c.DERP.Config.BlockDirect,
+			Group: &deploymentGroupNetworkingDERP,
+			YAML:  "blockDirect",
+		},
 		{
 			Name:        "DERP Config URL",
 			Description: "URL to fetch a DERP mapping on startup. See: https://tailscale.com/kb/1118/custom-derp-servers/.",

codersdk/workspaceagents.go

@@ -167,7 +167,8 @@ type DERPRegion struct {
 // a connection with a workspace.
 // @typescript-ignore WorkspaceAgentConnectionInfo
 type WorkspaceAgentConnectionInfo struct {
-	DERPMap *tailcfg.DERPMap `json:"derp_map"`
+	DERPMap                  *tailcfg.DERPMap `json:"derp_map"`
+	DisableDirectConnections bool             `json:"disable_direct_connections"`
 }
 
 func (c *Client) WorkspaceAgentConnectionInfo(ctx context.Context) (*WorkspaceAgentConnectionInfo, error) {
@@ -215,6 +216,9 @@ func (c *Client) DialWorkspaceAgent(ctx context.Context, agentID uuid.UUID, opti
 	if err != nil {
 		return nil, xerrors.Errorf("decode conn info: %w", err)
 	}
+	if connInfo.DisableDirectConnections {
+		options.BlockEndpoints = true
+	}
 
 	ip := tailnet.IP()
 	var header http.Header