Proxies

This article walks you through configuring proxies for Coder.

If your Coder installation accesses the internet through a forward proxy, configure a forward proxy.

If you have a reverse proxy in front of Coder, such as an ingress controller internal to the cluster, then configure a reverse proxy.

Forward proxies

Coder supports proxies for outbound HTTP and HTTPS connections once you've configured the coderd.proxy.http and coderd.proxy.https settings in the Helm chart. These settings correspond to the standard http_proxy and https_proxy environment variables, respectively.

If the proxy URL does not include a scheme, Coder treats it as an HTTP proxy by default. Coder also supports proxies using the HTTPS and SOCKS 5 protocols. As a special case, Coder will always establish connections to localhost directly, regardless of the coderd.proxy.exempt setting. For additional proxy setting information, see the documentation for ProxyFromEnvironment.

For an HTTP proxy with address http://localhost:3128, use the setting:

coderd:
  proxy:
    # If the scheme is omitted, Coder will default to `http`
    http: localhost:3128

For an HTTPS proxy with address https://localhost, include the scheme:

coderd:
  proxy:
    # If the port is omitted, Coder will use the default port corresponding to
    # the selected scheme (443 for https)
    http: https://localhost

For a SOCKS 5 proxy on listening on port 1080, use the setting:

coderd:
  proxy:
    http: socks5://10.10.10.10:1080

If you specify a proxy for outbound HTTP connections, and you do not specify a proxy for outgoing HTTPS connections, then Coder will proxy requests to HTTPS endpoints using the HTTP proxy. The previous examples will proxy all requests through the defined proxy, regardless of protocol (HTTP or HTTPS).

To configure a different proxy for use with outbound HTTPS connections, you can specify the same proxy types (http, https, socks5) using the coderd.proxy.https key:

coderd:
  proxy:
    # Use an HTTP proxy on port 3128 for outbound HTTP connections, and an
    # HTTP proxy on port 8080 for outbound HTTPS connections.
    http: http://localhost:3128
    https: http://localhost:8080

For hosts that must connect directly, rather than using the proxy, define the coderd.proxy.exempt setting with a comma-separated list of hosts and subdomains:

coderd:
  proxy:
    # Coder will establish connections to cluster.local or example.com, or
    # their subdomains directly, rather than using the proxy settings.
    exempt: "cluster.local,example.com"

Reverse proxies

If you have a reverse proxy in front of Coder, which is the case if you're using an ingress controller, Coder receives connections originating from the proxy. For auditing, logging, and other features to correctly recognize the connecting user's IP address information, you will need to configure the coderd.reverseProxy setting.

By default, Coder will ignore X-Forwarded-For and similar headers and remove them from proxied connections to Dev URL services. This prevents clients from spoofing their originating IP addresses.

Specify a list of trusted origin addresses (those of the reverse proxy) in CIDR format as follows:

coderd:
  reverseProxy:
    # These settings will treat inbound connections originating from
    # localhost (127.0.0.1/8) and the RFC 1918 Class A network (10.0.0.0/8)
    # as trusted proxies, and will consider the configured headers.
    trustedOrigins:
      - 127.0.0.1/8
      - 10.0.0.0/8

    headers:
      - X-Forwarded-For
See an opportunity to improve our docs? Make an edit.