Skip to content

Commit b9b402c

Browse files
kylecarbskylecarbs
authored
feat!: generate a self-signed certificate if no certificates are specified (coder#5973)
* feat: generate a self-signed certificate if no certificates are specified Clouds like AWS automatically navigate to https://<ip-here>. This allows us to bind to that immediately, serve a self-signed certificate, then reroute to the access URL. * Add new flag and deprecate old one * Fix redirect if not using tunnel * Add deprecation notice * Fix TLS redirect * Run `make gen` * Fix bad test * Fix gen
1 parent e27f7ac commit b9b402c

11 files changed

Lines changed: 132 additions & 38 deletions

File tree

cli/deployment/config.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,11 @@ func newConfig() *codersdk.DeploymentConfig {
3232
Usage: "Specifies the wildcard hostname to use for workspace applications in the form \"*.example.com\".",
3333
Flag: "wildcard-access-url",
3434
},
35+
RedirectToAccessURL: &codersdk.DeploymentConfigField[bool]{
36+
Name: "Redirect to Access URL",
37+
Usage: "Specifies whether to redirect requests that do not match the access URL host.",
38+
Flag: "redirect-to-access-url",
39+
},
3540
// DEPRECATED: Use HTTPAddress or TLS.Address instead.
3641
Address: &codersdk.DeploymentConfigField[string]{
3742
Name: "Address",
@@ -300,11 +305,13 @@ func newConfig() *codersdk.DeploymentConfig {
300305
Flag: "tls-address",
301306
Default: "127.0.0.1:3443",
302307
},
308+
// DEPRECATED: Use RedirectToAccessURL instead.
303309
RedirectHTTP: &codersdk.DeploymentConfigField[bool]{
304310
Name: "Redirect HTTP to HTTPS",
305311
Usage: "Whether HTTP requests will be redirected to the access URL (if it's a https URL and TLS is enabled). Requests to local IP addresses are never redirected regardless of this setting.",
306312
Flag: "tls-redirect-http-to-https",
307313
Default: true,
314+
Hidden: true,
308315
},
309316
CertFiles: &codersdk.DeploymentConfigField[[]string]{
310317
Name: "TLS Certificate Files",

cli/server.go

Lines changed: 66 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,17 @@ package cli
44

55
import (
66
"context"
7+
"crypto/ecdsa"
8+
"crypto/elliptic"
9+
"crypto/rand"
710
"crypto/tls"
811
"crypto/x509"
912
"database/sql"
1013
"errors"
1114
"fmt"
1215
"io"
1316
"log"
17+
"math/big"
1418
"net"
1519
"net/http"
1620
"net/http/pprof"
@@ -267,6 +271,13 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
267271
return xerrors.New("tls address must be set if tls is enabled")
268272
}
269273

274+
// DEPRECATED: This redirect used to default to true.
275+
// It made more sense to have the redirect be opt-in.
276+
if os.Getenv("CODER_TLS_REDIRECT_HTTP") == "true" || cmd.Flags().Changed("tls-redirect-http-to-https") {
277+
cmd.PrintErr(cliui.Styles.Warn.Render("WARN:") + " --tls-redirect-http-to-https is deprecated, please use --redirect-to-access-url instead\n")
278+
cfg.RedirectToAccessURL.Value = cfg.TLS.RedirectHTTP.Value
279+
}
280+
270281
tlsConfig, err = configureTLS(
271282
cfg.TLS.MinVersion.Value,
272283
cfg.TLS.ClientAuth.Value,
@@ -390,15 +401,6 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
390401
cmd.Printf("%s The access URL %s %s, this may cause unexpected problems when creating workspaces. Generate a unique *.try.coder.app URL by not specifying an access URL.\n", cliui.Styles.Warn.Render("Warning:"), cliui.Styles.Field.Render(accessURLParsed.String()), reason)
391402
}
392403

393-
// Redirect from the HTTP listener to the access URL if:
394-
// 1. The redirect flag is enabled.
395-
// 2. HTTP listening is enabled (obviously).
396-
// 3. TLS is enabled (otherwise they're likely using a reverse proxy
397-
// which can do this instead).
398-
// 4. The access URL has been set manually (not a tunnel).
399-
// 5. The access URL is HTTPS.
400-
shouldRedirectHTTPToAccessURL := cfg.TLS.RedirectHTTP.Value && cfg.HTTPAddress.Value != "" && cfg.TLS.Enable.Value && tunnel == nil && accessURLParsed.Scheme == "https"
401-
402404
// A newline is added before for visibility in terminal output.
403405
cmd.Printf("\nView the Web UI: %s\n", accessURLParsed.String())
404406

@@ -769,8 +771,8 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
769771
// Wrap the server in middleware that redirects to the access URL if
770772
// the request is not to a local IP.
771773
var handler http.Handler = coderAPI.RootHandler
772-
if shouldRedirectHTTPToAccessURL {
773-
handler = redirectHTTPToAccessURL(handler, accessURLParsed)
774+
if cfg.RedirectToAccessURL.Value {
775+
handler = redirectToAccessURL(handler, accessURLParsed, tunnel != nil)
774776
}
775777

776778
// ReadHeaderTimeout is purposefully not enabled. It caused some
@@ -1162,12 +1164,6 @@ func loadCertificates(tlsCertFiles, tlsKeyFiles []string) ([]tls.Certificate, er
11621164
if len(tlsCertFiles) != len(tlsKeyFiles) {
11631165
return nil, xerrors.New("--tls-cert-file and --tls-key-file must be used the same amount of times")
11641166
}
1165-
if len(tlsCertFiles) == 0 {
1166-
return nil, xerrors.New("--tls-cert-file is required when tls is enabled")
1167-
}
1168-
if len(tlsKeyFiles) == 0 {
1169-
return nil, xerrors.New("--tls-key-file is required when tls is enabled")
1170-
}
11711167

11721168
certs := make([]tls.Certificate, len(tlsCertFiles))
11731169
for i := range tlsCertFiles {
@@ -1183,6 +1179,36 @@ func loadCertificates(tlsCertFiles, tlsKeyFiles []string) ([]tls.Certificate, er
11831179
return certs, nil
11841180
}
11851181

1182+
// generateSelfSignedCertificate creates an unsafe self-signed certificate
1183+
// at random that allows users to proceed with setup in the event they
1184+
// haven't configured any TLS certificates.
1185+
func generateSelfSignedCertificate() (*tls.Certificate, error) {
1186+
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
1187+
if err != nil {
1188+
return nil, err
1189+
}
1190+
template := x509.Certificate{
1191+
SerialNumber: big.NewInt(1),
1192+
NotBefore: time.Now(),
1193+
NotAfter: time.Now().Add(time.Hour * 24 * 180),
1194+
1195+
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
1196+
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
1197+
BasicConstraintsValid: true,
1198+
IPAddresses: []net.IP{net.ParseIP("127.0.0.1")},
1199+
}
1200+
1201+
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &privateKey.PublicKey, privateKey)
1202+
if err != nil {
1203+
return nil, err
1204+
}
1205+
1206+
var cert tls.Certificate
1207+
cert.Certificate = append(cert.Certificate, derBytes)
1208+
cert.PrivateKey = privateKey
1209+
return &cert, nil
1210+
}
1211+
11861212
func configureTLS(tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string) (*tls.Config, error) {
11871213
tlsConfig := &tls.Config{
11881214
MinVersion: tls.VersionTLS12,
@@ -1219,6 +1245,14 @@ func configureTLS(tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles
12191245
if err != nil {
12201246
return nil, xerrors.Errorf("load certificates: %w", err)
12211247
}
1248+
if len(certs) == 0 {
1249+
selfSignedCertificate, err := generateSelfSignedCertificate()
1250+
if err != nil {
1251+
return nil, xerrors.Errorf("generate self signed certificate: %w", err)
1252+
}
1253+
certs = append(certs, *selfSignedCertificate)
1254+
}
1255+
12221256
tlsConfig.Certificates = certs
12231257
tlsConfig.GetCertificate = func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
12241258
// If there's only one certificate, return it.
@@ -1483,10 +1517,23 @@ func configureHTTPClient(ctx context.Context, clientCertFile, clientKeyFile stri
14831517
return ctx, &http.Client{}, nil
14841518
}
14851519

1486-
func redirectHTTPToAccessURL(handler http.Handler, accessURL *url.URL) http.Handler {
1520+
// nolint:revive
1521+
func redirectToAccessURL(handler http.Handler, accessURL *url.URL, tunnel bool) http.Handler {
14871522
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
1488-
if r.TLS == nil {
1523+
redirect := func() {
14891524
http.Redirect(w, r, accessURL.String(), http.StatusTemporaryRedirect)
1525+
}
1526+
1527+
// Only do this if we aren't tunneling.
1528+
// If we are tunneling, we want to allow the request to go through
1529+
// because the tunnel doesn't proxy with TLS.
1530+
if !tunnel && accessURL.Scheme == "https" && r.TLS == nil {
1531+
redirect()
1532+
return
1533+
}
1534+
1535+
if r.Host != accessURL.Host {
1536+
redirect()
14901537
return
14911538
}
14921539

cli/server_test.go

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -290,11 +290,6 @@ func TestServer(t *testing.T) {
290290
args []string
291291
errContains string
292292
}{
293-
{
294-
name: "NoCertAndKey",
295-
args: []string{"--tls-enable"},
296-
errContains: "--tls-cert-file is required when tls is enabled",
297-
},
298293
{
299294
name: "NoCert",
300295
args: []string{"--tls-enable", "--tls-key-file", key1Path},
@@ -373,6 +368,7 @@ func TestServer(t *testing.T) {
373368
},
374369
},
375370
}
371+
defer client.HTTPClient.CloseIdleConnections()
376372
_, err := client.HasFirstUser(ctx)
377373
require.NoError(t, err)
378374

@@ -527,6 +523,7 @@ func TestServer(t *testing.T) {
527523
},
528524
},
529525
}
526+
defer client.HTTPClient.CloseIdleConnections()
530527
_, err = client.HasFirstUser(ctx)
531528
require.NoError(t, err)
532529

@@ -541,6 +538,7 @@ func TestServer(t *testing.T) {
541538
name string
542539
httpListener bool
543540
tlsListener bool
541+
redirect bool
544542
accessURL string
545543
// Empty string means no redirect.
546544
expectRedirect string
@@ -549,9 +547,17 @@ func TestServer(t *testing.T) {
549547
name: "OK",
550548
httpListener: true,
551549
tlsListener: true,
550+
redirect: true,
552551
accessURL: "https://example.com",
553552
expectRedirect: "https://example.com",
554553
},
554+
{
555+
name: "NoRedirect",
556+
httpListener: true,
557+
tlsListener: true,
558+
accessURL: "https://example.com",
559+
expectRedirect: "",
560+
},
555561
{
556562
name: "NoTLSListener",
557563
httpListener: true,
@@ -600,6 +606,9 @@ func TestServer(t *testing.T) {
600606
if c.accessURL != "" {
601607
flags = append(flags, "--access-url", c.accessURL)
602608
}
609+
if c.redirect {
610+
flags = append(flags, "--redirect-to-access-url")
611+
}
603612

604613
root, _ := clitest.New(t, flags...)
605614
pty := ptytest.New(t)
@@ -652,20 +661,23 @@ func TestServer(t *testing.T) {
652661

653662
// Verify TLS
654663
if c.tlsListener {
655-
tlsURL, err := url.Parse(tlsAddr)
664+
accessURLParsed, err := url.Parse(c.accessURL)
656665
require.NoError(t, err)
657-
client := codersdk.New(tlsURL)
666+
client := codersdk.New(accessURLParsed)
658667
client.HTTPClient = &http.Client{
659668
CheckRedirect: func(req *http.Request, via []*http.Request) error {
660669
return http.ErrUseLastResponse
661670
},
662671
Transport: &http.Transport{
663-
TLSClientConfig: &tls.Config{
664-
//nolint:gosec
665-
InsecureSkipVerify: true,
672+
DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
673+
return tls.Dial(network, strings.TrimPrefix(tlsAddr, "https://"), &tls.Config{
674+
// nolint:gosec
675+
InsecureSkipVerify: true,
676+
})
666677
},
667678
},
668679
}
680+
defer client.HTTPClient.CloseIdleConnections()
669681
_, err = client.HasFirstUser(ctx)
670682
require.NoError(t, err)
671683

@@ -837,6 +849,7 @@ func TestServer(t *testing.T) {
837849
},
838850
},
839851
}
852+
defer client.HTTPClient.CloseIdleConnections()
840853
_, err := client.HasFirstUser(ctx)
841854
require.NoError(t, err)
842855

cli/testdata/coder_server_--help.golden

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -216,6 +216,9 @@ Flags:
216216
"proxy-trusted-headers". e.g.
217217
192.168.1.0/24
218218
Consumes $CODER_PROXY_TRUSTED_ORIGINS
219+
--redirect-to-access-url Specifies whether to redirect requests
220+
that do not match the access URL host.
221+
Consumes $CODER_REDIRECT_TO_ACCESS_URL
219222
--secure-auth-cookie Controls if the 'Secure' property is set
220223
on browser session cookies.
221224
Consumes $CODER_SECURE_AUTH_COOKIE
@@ -277,13 +280,6 @@ Flags:
277280
"tls12" or "tls13"
278281
Consumes $CODER_TLS_MIN_VERSION (default
279282
"tls12")
280-
--tls-redirect-http-to-https Whether HTTP requests will be redirected
281-
to the access URL (if it's a https URL
282-
and TLS is enabled). Requests to local IP
283-
addresses are never redirected regardless
284-
of this setting.
285-
Consumes $CODER_TLS_REDIRECT_HTTP
286-
(default true)
287283
--trace Whether application tracing data is
288284
collected. It exports to a backend
289285
configured by environment variables. See:

coderd/apidoc/docs.go

Lines changed: 3 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 3 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

codersdk/deployment.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,7 @@ func (c *Client) Entitlements(ctx context.Context) (Entitlements, error) {
108108
type DeploymentConfig struct {
109109
AccessURL *DeploymentConfigField[string] `json:"access_url" typescript:",notnull"`
110110
WildcardAccessURL *DeploymentConfigField[string] `json:"wildcard_access_url" typescript:",notnull"`
111+
RedirectToAccessURL *DeploymentConfigField[bool] `json:"redirect_to_access_url" typescript:",notnull"`
111112
HTTPAddress *DeploymentConfigField[string] `json:"http_address" typescript:",notnull"`
112113
AutobuildPollInterval *DeploymentConfigField[time.Duration] `json:"autobuild_poll_interval" typescript:",notnull"`
113114
DERP *DERP `json:"derp" typescript:",notnull"`

docs/api/general.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -780,6 +780,17 @@ curl -X GET http://coder-server:8080/api/v2/config/deployment \
780780
"value": true
781781
}
782782
},
783+
"redirect_to_access_url": {
784+
"default": true,
785+
"enterprise": true,
786+
"flag": "string",
787+
"hidden": true,
788+
"name": "string",
789+
"secret": true,
790+
"shorthand": "string",
791+
"usage": "string",
792+
"value": true
793+
},
783794
"scim_api_key": {
784795
"default": "string",
785796
"enterprise": true,

docs/api/schemas.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2138,6 +2138,17 @@ CreateParameterRequest is a structure used to create a new parameter value for a
21382138
"value": true
21392139
}
21402140
},
2141+
"redirect_to_access_url": {
2142+
"default": true,
2143+
"enterprise": true,
2144+
"flag": "string",
2145+
"hidden": true,
2146+
"name": "string",
2147+
"secret": true,
2148+
"shorthand": "string",
2149+
"usage": "string",
2150+
"value": true
2151+
},
21412152
"scim_api_key": {
21422153
"default": "string",
21432154
"enterprise": true,
@@ -2423,6 +2434,7 @@ CreateParameterRequest is a structure used to create a new parameter value for a
24232434
| `proxy_trusted_headers` | [codersdk.DeploymentConfigField-array_string](#codersdkdeploymentconfigfield-array_string) | false | | |
24242435
| `proxy_trusted_origins` | [codersdk.DeploymentConfigField-array_string](#codersdkdeploymentconfigfield-array_string) | false | | |
24252436
| `rate_limit` | [codersdk.RateLimitConfig](#codersdkratelimitconfig) | false | | |
2437+
| `redirect_to_access_url` | [codersdk.DeploymentConfigField-bool](#codersdkdeploymentconfigfield-bool) | false | | |
24262438
| `scim_api_key` | [codersdk.DeploymentConfigField-string](#codersdkdeploymentconfigfield-string) | false | | |
24272439
| `secure_auth_cookie` | [codersdk.DeploymentConfigField-bool](#codersdkdeploymentconfigfield-bool) | false | | |
24282440
| `ssh_keygen_algorithm` | [codersdk.DeploymentConfigField-string](#codersdkdeploymentconfigfield-string) | false | | |

docs/cli/coder_server.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,8 @@ coder server [flags]
106106
Consumes $CODER_PROXY_TRUSTED_HEADERS
107107
--proxy-trusted-origins strings Origin addresses to respect "proxy-trusted-headers". e.g. 192.168.1.0/24
108108
Consumes $CODER_PROXY_TRUSTED_ORIGINS
109+
--redirect-to-access-url Specifies whether to redirect requests that do not match the access URL host.
110+
Consumes $CODER_REDIRECT_TO_ACCESS_URL
109111
--secure-auth-cookie Controls if the 'Secure' property is set on browser session cookies.
110112
Consumes $CODER_SECURE_AUTH_COOKIE
111113
--ssh-keygen-algorithm string The algorithm to use for generating ssh keys. Accepted values are "ed25519", "ecdsa", or "rsa4096".
@@ -134,8 +136,6 @@ coder server [flags]
134136
Consumes $CODER_TLS_KEY_FILE
135137
--tls-min-version string Minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13"
136138
Consumes $CODER_TLS_MIN_VERSION (default "tls12")
137-
--tls-redirect-http-to-https Whether HTTP requests will be redirected to the access URL (if it's a https URL and TLS is enabled). Requests to local IP addresses are never redirected regardless of this setting.
138-
Consumes $CODER_TLS_REDIRECT_HTTP (default true)
139139
--trace Whether application tracing data is collected. It exports to a backend configured by environment variables. See: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md
140140
Consumes $CODER_TRACE_ENABLE
141141
--trace-honeycomb-api-key string Enables trace exporting to Honeycomb.io using the provided API Key.

0 commit comments

Comments
 (0)