This article walks you through configuring proxies for Coder.
If your Coder installation accesses the internet through a forward proxy, configure a forward proxy.
If you have a reverse proxy in front of Coder, such as an ingress controller internal to the cluster, then configure a reverse proxy.
Coder supports proxies for outbound HTTP and HTTPS connections once you've
coderd.proxy.https settings in the
Helm chart. These settings correspond to the standard
https_proxy environment variables, respectively.
If the proxy URL does not include a scheme, Coder treats it as an HTTP proxy by
default. Coder also supports proxies using the HTTPS and SOCKS 5 protocols. As a
special case, Coder will always establish connections to
regardless of the
coderd.proxy.exempt setting. For additional proxy setting
information, see the documentation for ProxyFromEnvironment.
For an HTTP proxy with address
http://localhost:3128, use the setting:
coderd: proxy: # If the scheme is omitted, Coder will default to `http` http: localhost:3128
For an HTTPS proxy with address
https://localhost, include the scheme:
coderd: proxy: # If the port is omitted, Coder will use the default port corresponding to # the selected scheme (443 for https) http: https://localhost
For a SOCKS 5 proxy on listening on port 1080, use the setting:
coderd: proxy: http: socks5://10.10.10.10:1080
If you specify a proxy for outbound HTTP connections, and you do not specify a proxy for outgoing HTTPS connections, then Coder will proxy requests to HTTPS endpoints using the HTTP proxy. The previous examples will proxy all requests through the defined proxy, regardless of protocol (HTTP or HTTPS).
To configure a different proxy for use with outbound HTTPS connections, you can
specify the same proxy types (
socks5) using the
coderd: proxy: # Use an HTTP proxy on port 3128 for outbound HTTP connections, and an # HTTP proxy on port 8080 for outbound HTTPS connections. http: http://localhost:3128 https: http://localhost:8080
For hosts that must connect directly, rather than using the proxy, define the
coderd.proxy.exempt setting with a comma-separated list of hosts and
coderd: proxy: # Coder will establish connections to cluster.local or example.com, or # their subdomains directly, rather than using the proxy settings. exempt: "cluster.local,example.com"
If you have a reverse proxy in front of Coder, which is the case if you're using
an ingress controller, Coder receives connections originating from the proxy.
For auditing, logging, and other features to correctly recognize the connecting
user's IP address information, you will need to configure the
By default, Coder will ignore
X-Forwarded-Forand similar headers and remove them from proxied connections to Dev URL services. This prevents clients from spoofing their originating IP addresses.
Specify a list of trusted origin addresses (those of the reverse proxy) in CIDR format as follows:
coderd: reverseProxy: # These settings will treat inbound connections originating from # localhost (127.0.0.1/8) and the RFC 1918 Class A network (10.0.0.0/8) # as trusted proxies, and will consider the configured headers. trustedOrigins: - 127.0.0.1/8 - 10.0.0.0/8 headers: - X-Forwarded-For