feat: add flag to disable all direct connections (#7936)

This commit is contained in:
Dean Sheather
2023-06-22 08:02:05 +10:00
committed by GitHub
parent 96f9e61ca1
commit a28d422c35
22 changed files with 369 additions and 105 deletions

View File

@ -221,8 +221,9 @@ type DERPServerConfig struct {
}
type DERPConfig struct {
URL clibase.String `json:"url" typescript:",notnull"`
Path clibase.String `json:"path" typescript:",notnull"`
BlockDirect clibase.Bool `json:"block_direct" typescript:",notnull"`
URL clibase.String `json:"url" typescript:",notnull"`
Path clibase.String `json:"path" typescript:",notnull"`
}
type PrometheusConfig struct {
@ -711,6 +712,18 @@ when required by your organization's security policy.`,
Group: &deploymentGroupNetworkingDERP,
YAML: "relayURL",
},
{
Name: "Block Direct Connections",
Description: "Block peer-to-peer (aka. direct) workspace connections. All workspace connections from the CLI will be proxied through Coder (or custom configured DERP servers) and will never be peer-to-peer when enabled. Workspaces may still reach out to STUN servers to get their address until they are restarted after this change has been made, but new connections will still be proxied regardless.",
// This cannot be called `disable-direct-connections` because that's
// already a global CLI flag for CLI connections. This is a
// deployment-wide flag.
Flag: "block-direct-connections",
Env: "CODER_BLOCK_DIRECT",
Value: &c.DERP.Config.BlockDirect,
Group: &deploymentGroupNetworkingDERP,
YAML: "blockDirect",
},
{
Name: "DERP Config URL",
Description: "URL to fetch a DERP mapping on startup. See: https://tailscale.com/kb/1118/custom-derp-servers/.",