From ba5c91e6c693a1e3a302068d3f6e6732a6f9a869 Mon Sep 17 00:00:00 2001 From: Ammar Bandukwala Date: Mon, 10 Apr 2023 16:27:02 +0000 Subject: [PATCH 1/3] feat: allow disabling stun addresses via env Resolves #6791 --- cli/server.go | 13 +++++++++++++ cli/server_test.go | 24 ++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/cli/server.go b/cli/server.go index 18ebf0ca576eb..0284eb74136b3 100644 --- a/cli/server.go +++ b/cli/server.go @@ -568,6 +568,19 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd. if !cfg.DERP.Server.Enable { defaultRegion = nil } + + // HACK: see https://github.com/coder/coder/issues/6791. + for _, addr := range cfg.DERP.Server.STUNAddresses { + if addr != "disable" { + continue + } + err := cfg.DERP.Server.STUNAddresses.Replace(nil) + if err != nil { + panic(err) + } + break + } + derpMap, err := tailnet.NewDERPMap( ctx, defaultRegion, cfg.DERP.Server.STUNAddresses, cfg.DERP.Config.URL.String(), cfg.DERP.Config.Path.String(), diff --git a/cli/server_test.go b/cli/server_test.go index 55205e6f9b043..b4fd636ce81ad 100644 --- a/cli/server_test.go +++ b/cli/server_test.go @@ -1489,6 +1489,30 @@ func TestServer(t *testing.T) { w.RequireSuccess() }) }) + t.Run("DisableDERP", func(t *testing.T) { + t.Parallel() + + // Make sure that $CODER_DERP_SERVER_STUN_ADDRESSES can be set to + // disable STUN. + + inv, cfg := clitest.New(t, + "server", + "--in-memory", + "--http-address", ":0", + ) + inv.Environ.Set("CODER_DERP_SERVER_STUN_ADDRESSES", "disable") + ptytest.New(t).Attach(inv) + clitest.Start(t, inv) + gotURL := waitAccessURL(t, cfg) + client := codersdk.New(gotURL) + + ctx := testutil.Context(t, testutil.WaitMedium) + _ = coderdtest.CreateFirstUser(t, client) + gotConfig, err := client.DeploymentConfig(ctx) + require.NoError(t, err) + + require.Len(t, gotConfig.Values.DERP.Server.STUNAddresses, 0) + }) } func generateTLSCertificate(t testing.TB, commonName ...string) (certPath, keyPath string) { From d690659a4ab15413c77e6da273d51f34c5b82f5e Mon Sep 17 00:00:00 2001 From: Kyle Carberry Date: Mon, 10 Apr 2023 19:29:06 +0000 Subject: [PATCH 2/3] Specify a dummy access URL so the tunnel wouldn't start --- cli/server_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cli/server_test.go b/cli/server_test.go index b4fd636ce81ad..9261ec9c14882 100644 --- a/cli/server_test.go +++ b/cli/server_test.go @@ -1499,6 +1499,7 @@ func TestServer(t *testing.T) { "server", "--in-memory", "--http-address", ":0", + "--access-url", "https://example.com", ) inv.Environ.Set("CODER_DERP_SERVER_STUN_ADDRESSES", "disable") ptytest.New(t).Attach(inv) From 084926c4144774e3683af108456042b1be781a46 Mon Sep 17 00:00:00 2001 From: Ammar Bandukwala Date: Mon, 17 Apr 2023 17:09:37 +0000 Subject: [PATCH 3/3] Document --- cli/testdata/coder_server_--help.golden | 4 ++-- cli/testdata/server-config.yaml.golden | 4 ++-- codersdk/deployment.go | 2 +- docs/cli/server.md | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden index 446539df00d4c..6e3de2eabfae5 100644 --- a/cli/testdata/coder_server_--help.golden +++ b/cli/testdata/coder_server_--help.golden @@ -168,8 +168,8 @@ backed by Tailscale and WireGuard. Region name that for the embedded DERP server. --derp-server-stun-addresses string-array, $CODER_DERP_SERVER_STUN_ADDRESSES (default: stun.l.google.com:19302) - Addresses for STUN servers to establish P2P connections. Set empty to - disable P2P connections. + Addresses for STUN servers to establish P2P connections. Use special + value 'disable' to turn off STUN. Networking / HTTP Options --disable-password-auth bool, $CODER_DISABLE_PASSWORD_AUTH diff --git a/cli/testdata/server-config.yaml.golden b/cli/testdata/server-config.yaml.golden index 99e22f3dcbd72..a05cdbfac60c6 100644 --- a/cli/testdata/server-config.yaml.golden +++ b/cli/testdata/server-config.yaml.golden @@ -105,8 +105,8 @@ networking: # Region name that for the embedded DERP server. # (default: Coder Embedded Relay, type: string) regionName: Coder Embedded Relay - # Addresses for STUN servers to establish P2P connections. Set empty to disable - # P2P connections. + # Addresses for STUN servers to establish P2P connections. Use special value + # 'disable' to turn off STUN. # (default: stun.l.google.com:19302, type: string-array) stunAddresses: - stun.l.google.com:19302 diff --git a/codersdk/deployment.go b/codersdk/deployment.go index dee95504e97eb..d4a61072f0f26 100644 --- a/codersdk/deployment.go +++ b/codersdk/deployment.go @@ -666,7 +666,7 @@ when required by your organization's security policy.`, }, { Name: "DERP Server STUN Addresses", - Description: "Addresses for STUN servers to establish P2P connections. Set empty to disable P2P connections.", + Description: "Addresses for STUN servers to establish P2P connections. Use special value 'disable' to turn off STUN.", Flag: "derp-server-stun-addresses", Env: "CODER_DERP_SERVER_STUN_ADDRESSES", Default: "stun.l.google.com:19302", diff --git a/docs/cli/server.md b/docs/cli/server.md index e9a382dc598dd..3cbcafe9bbc35 100644 --- a/docs/cli/server.md +++ b/docs/cli/server.md @@ -171,7 +171,7 @@ An HTTP URL that is accessible by other replicas to relay DERP traffic. Required | YAML | networking.derp.stunAddresses | | Default | stun.l.google.com:19302 | -Addresses for STUN servers to establish P2P connections. Set empty to disable P2P connections. +Addresses for STUN servers to establish P2P connections. Use special value 'disable' to turn off STUN. ### --disable-owner-workspace-access