# boundary Network isolation tool for monitoring and restricting HTTP/HTTPS requests ## Usage ```console coder boundary [flags] [args...] ``` ## Description ```console boundary creates an isolated network environment for target processes, intercepting HTTP/HTTPS traffic through a transparent proxy that enforces user-defined allow rules. ``` ## Options ### --config | | | |-------------|-------------------------------| | Type | yaml-config-path | | Environment | $BOUNDARY_CONFIG | Path to YAML config file. ### --allow | | | |-------------|------------------------------| | Type | string | | Environment | $BOUNDARY_ALLOW | Allow rule (repeatable). These are merged with allowlist from config file. Format: "pattern" or "METHOD[,METHOD] pattern". ### -- | | | |------|---------------------------| | Type | string-array | | YAML | allowlist | Allowlist rules from config file (YAML only). ### --log-level | | | |-------------|----------------------------------| | Type | string | | Environment | $BOUNDARY_LOG_LEVEL | | YAML | log_level | | Default | warn | Set log level (error, warn, info, debug). ### --log-dir | | | |-------------|--------------------------------| | Type | string | | Environment | $BOUNDARY_LOG_DIR | | YAML | log_dir | Set a directory to write logs to rather than stderr. ### --proxy-port | | | |-------------|--------------------------| | Type | int | | Environment | $PROXY_PORT | | YAML | proxy_port | | Default | 8080 | Set a port for HTTP proxy. ### --pprof | | | |-------------|------------------------------| | Type | bool | | Environment | $BOUNDARY_PPROF | | YAML | pprof_enabled | Enable pprof profiling server. ### --pprof-port | | | |-------------|-----------------------------------| | Type | int | | Environment | $BOUNDARY_PPROF_PORT | | YAML | pprof_port | | Default | 6060 | Set port for pprof profiling server. ### --jail-type | | | |-------------|----------------------------------| | Type | string | | Environment | $BOUNDARY_JAIL_TYPE | | YAML | jail_type | | Default | nsjail | Jail type to use for network isolation. Options: nsjail (default), landjail. ### --use-real-dns | | | |-------------|-------------------------------------| | Type | bool | | Environment | $BOUNDARY_USE_REAL_DNS | | YAML | use_real_dns | Use real DNS in the jail instead of the dummy DNS (allows DNS exfiltration). Default: false. ### --no-user-namespace | | | |-------------|------------------------------------------| | Type | bool | | Environment | $BOUNDARY_NO_USER_NAMESPACE | | YAML | no_user_namespace | Do not create a user namespace. Use in restricted environments that disallow user NS (e.g. Bottlerocket in EKS auto-mode). ### --disable-audit-logs | | | |-------------|----------------------------------| | Type | bool | | Environment | $DISABLE_AUDIT_LOGS | | YAML | disable_audit_logs | Disable sending of audit logs to the workspace agent when set to true. ### --log-proxy-socket-path | | | |-------------|----------------------------------------------------------| | Type | string | | Environment | $CODER_AGENT_BOUNDARY_LOG_PROXY_SOCKET_PATH | | Default | /tmp/boundary-audit.sock | Path to the socket where the boundary log proxy server listens for audit logs. ### --version | | | |------|-------------------| | Type | bool | Print version information and exit.