feat: add flag to disable all direct connections (#7936)

2025-07-09 11:45:56 +00:00 · 2023-06-22 08:02:05 +10:00
parent 96f9e61ca1
commit a28d422c35
22 changed files with 369 additions and 105 deletions
--- a/codersdk/deployment.go
+++ b/codersdk/deployment.go
@ -221,8 +221,9 @@ type DERPServerConfig struct {
 }

 type DERPConfig struct {
-	URL  clibase.String `json:"url" typescript:",notnull"`
-	Path clibase.String `json:"path" typescript:",notnull"`
+	BlockDirect clibase.Bool   `json:"block_direct" typescript:",notnull"`
+	URL         clibase.String `json:"url" typescript:",notnull"`
+	Path        clibase.String `json:"path" typescript:",notnull"`
 }

 type PrometheusConfig struct {
@ -711,6 +712,18 @@ when required by your organization's security policy.`,
 			Group:       &deploymentGroupNetworkingDERP,
 			YAML:        "relayURL",
 		},
+		{
+			Name:        "Block Direct Connections",
+			Description: "Block peer-to-peer (aka. direct) workspace connections. All workspace connections from the CLI will be proxied through Coder (or custom configured DERP servers) and will never be peer-to-peer when enabled. Workspaces may still reach out to STUN servers to get their address until they are restarted after this change has been made, but new connections will still be proxied regardless.",
+			// This cannot be called `disable-direct-connections` because that's
+			// already a global CLI flag for CLI connections. This is a
+			// deployment-wide flag.
+			Flag:  "block-direct-connections",
+			Env:   "CODER_BLOCK_DIRECT",
+			Value: &c.DERP.Config.BlockDirect,
+			Group: &deploymentGroupNetworkingDERP,
+			YAML:  "blockDirect",
+		},
 		{
 			Name:        "DERP Config URL",
 			Description: "URL to fetch a DERP mapping on startup. See: https://tailscale.com/kb/1118/custom-derp-servers/.",