Support using Coder as a derper --verify-client-url admission backend?
#26732
kcon-stackav
started this conversation in
Feature Request
Replies: 1 comment 2 replies
-
|
Awesome to see you considering running your own relays. Are you running their binary directly, running it on K8s, or something else? We're always looking for better ways to document these resources and last I remembered it was kind of challenging to deploy. Regarding admitting clients/tokens, this seems like a reasonable request and I'm passing this onto our engineering team to see if this is something we could either A) bring in or B) if we're open to accepting PRs in this area. Will keep you posted :) |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
My team is looking at running our own standalone, on-prem DERP relay servers for Coder using the documented custom relay support:
https://coder.com/docs/admin/networking#custom-relays
One thing we are trying to figure out is how to avoid making those relays usable by any non-Coder DERP-speaking client that can reach them on our internal network.
Tailscale's
derperhas a useful-looking option for this:That option posts a request containing the connecting client's DERP node public key and source IP, and expects a response like:
{ "Allow": true }The challenge is that Coder is the system that knows whether a given DERP node key belongs to an active Coder tailnet participant.
derper --verify-clientsdoes not seem like a fit because it verifies clients through a localtailscaledinstance and a Tailscale tailnet, while Coder manages its own tailnet state.Would you consider exposing a Coder endpoint that could be used directly as the
--verify-client-urltarget for standalonederperinstances?For example, something along these lines:
Where
derpercould send the normal Tailscale admission request, and Coder would respond with whether that node key is currently an active/authorized Coder tailnet peer.A rough usage example might look like:
derper \ --derp=true \ --stun=false \ --verify-client-url="https://coder.example.com/api/v2/tailnet/derp/admit-client?token=..." \ --verify-client-url-fail-open=falseThis would let operators run regional standalone DERP relays while still plumbing relay admission back to Coder's own tailnet membership, instead of relying only on network perimeter controls.
Thanks for your time! 🙏
Beta Was this translation helpful? Give feedback.
All reactions