Dev container workflow & security concerns with tunnel.
Hello ππ» .
I am trying to migrate my workflow to fully remote development using a home server. Currently, I develop everything in dev containers on a local host, and Coder seems to be especially fit to replace this as it supports dev containers in conjunction with the VSCode Web UI.
I have two questions to this end:
1. Dev containers seem to work fine with the provided template, but is there a way to access a UI (terminal or graphical) similar to VSCode's
Add dev container configuration files? (See attached image.)
2. Am I paranoid for disabling the tunnel and putting everything behind a VPN? My projects aren't high value targets or anything, but something about allowing a tunnel into my home server feels irresponsible to me.
Thanks!
40 Replies
<#1279192049517723658>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
hello, regarding your first question, what goal are you trying to achieve?
this menu in VSCode is here to bootstrap a new devcontainer spec for your repo, so you should also be able to use this within VSCode web
---
for the tunnel vs VPN, in this case they're pretty much the same thing
Coder uses Tailscale which uses Wireguard for the VPN tunnel
security between something like OpenVPN and Wireguard should be pretty much the same
keep in mind that this tunnel is locked down behind authentication, just as your VPN would be
this is basically the same thing as using a VPN but more integrated in the product
Thanks for the replies!
1.
Correct me if I'm wrong, but this menu shouldn't be available in VSCode Web, since it does not support the dev container extension (which is the reason I personally want to use Coder).
Additionally, even if it did, the Coder dev container template requires a repository to be bootstrapped before instantiation, so you would need an additional workspace just to set up the dev container files.
The current workflow I am imagining would be to set up a repository with VSCode desktop or the dev container CLI before opening it in Coder to create my actual workspace. Not a deal breaker by any means, but it's just a few extra steps to get started.
2.
I see, makes sense.
From what I understand, the moment you open the Coder URL, you are "in contact" with my local instance through the tunnel, right? Maybe I am just overly paranoid, but this seems less secure than CloudFlare Tunnel's model of requiring authentication through CloudFlare Access before a single request is even passed on to the actual server.
Again, not really a dealbreaker since I can use CloudFlare Tunnel instead, but I am severly out of by depth here π
.
VSCode web does support devcontainers, just differently
basically, Coder's support for devcontainers means that you have 1 Coder workspace per devcontainer spec (usually per project/repo)
whereas the VSCode support is usually 1 devcontainer spec per project/repo within the same "workspace" (usually your computer)
so you can technically open devcontainers in VSCode Web like you would in regular VSCode outside of Coder, your workspace just needs to be able to run Docker
2. depends on what you mean by your "local instance", if you mean the Coder server, then yes
Cloudflare Access gates requests to your web server
Coder's tunnel gates requests to your Coder workspaces
so both of these have the same principle and amount of security, they just don't gate the same thing
and you could use Coder's tunnel through Cloudflare Access (if you access Coder through the web, otherwise the Coder tunnel uses DERP when applicable for better performance, but still authenticated)
let me know if you have any other questions
Thanks for these answers! I spent the last few days setting up a home server based around Coder and CloudFlare Tunnel/Access. Do you think there would in any interest in a short write-up on how to set this up, or is it too niche considering Coder's own tunnel?
we have other people interested in using CF Access alongside with Coder so go ahead!
it' sdefinitely appreciated :)
Haha, nice to know I'm not doing anything too weird.
There are some caveats in particular if you want to run the official VSCode Web due to its dependence on wildcard subdomains, but I'll turn my current setup into a basic Terraform config to get everything up and running.
One thing I still haven't gotten around to solving is getting the WebSocket to work with Access without a blanket IP bypass β CloudFlare ignores its special authentication headers for WebSocket traffic, and Warp is quite a mess to set up programmatically.
--
That aside, I have an unrelated question if you don't mind:
The docs recommend mounting your host's Docker socket if you are going to be developing within "local" Docker containers. This works perfectly fine of course, but it clutters my top level containers with workspaces, and something feels off about giving a container direct access to the host like that.
What is the best way to put all workspace containers into a container of their own, and would this be a bad idea? Maybe just Docker in Docker will do the trick?
(This doesn't actually matter for the purposes of my home server, but I'm trying to learn best practices as I go.)
hey @Caspertje, I'm not sure I'm understanding your question
is this about running your workspaces in Docker or running Docker in your workspaces?
I mean running my workspaces in Docker.
okay so
you can't really avoid polluting the Docker host, since it's not really pollution in the first place
well, Coder needs access to your Docker socket if you're deploying stuff in Docker, if you don't like that you can do either one of these :
- Set up an external Docker host (I would advise a dedicated VM and not a container, because doing Docker-in-Docker-in-Docker isn't great)
- Use a docker socket proxy to only give Coder access to what it needs (though this isn't really documented iirc)
but honestly if you really want isolation I'd recommend going with Kubernetes and having Coder workspaces be in a specific namespace
Noted, thanks! I will look into Kubernetes π.
@Phorcys closed the thread.
@Caspertje I am also trying to setup cloudflare zero trust with coder. Is there any guide/references that I can follow ? It will be super helpful .Thanks
Hi @Nipun Agarwal we don't have a specific guide but can you open an issue requesting one at
coder/coder GitHub?I didn't get around to writing it all out before moving to a custom tunnel architecture, but I can guide you through it. Are you stuck anywhere?
My websocket health checks are failing π¦ tried putting the CODER_HEADER env variable too but still not working
Ah yeah, you need to whitelist your home IP address if I recall correctly.
Where can I whitelist this ?
It's in your ZeroTrust policy, I can give you some Terraform files that set this all up for you.
That will be super helpful
Also afaik, even if I allow some IP in zero trust policy, the cloudflare zero trust auth page still comes up right ? The policy just mentions whom they want to allow after they enter the auth credentials
You are looking at the wrong thing, but I got stuck on that exact point as well for some time. It's super confusing.
I'm on mobile right now, but I'll check my old repo for the Terraform files.
Sure, waiting for the files. Thank you so much for all the help. I spent my entire week debugging this lol
https://gist.github.com/te-lang-wakker/bcec0f53437bceca1b385b188a377258
That's for the tunnel (
tunnel/main.tf), and this is for Access:
https://gist.github.com/te-lang-wakker/f6d531965786199929a5fcc9c1dddad7Gist
Terraform CloudFlare Tunnel module for Coder
Terraform CloudFlare Tunnel module for Coder . GitHub Gist: instantly share code, notes, and snippets.
This is what makes the health check work:
@Nipun Agarwal
Just adding that bypass policy to your current setup might do the trick.
With a hardcoded IP of course, I'm using some hacky script execution in the Terraform file to insert my current IP.
I have actually not setup the tunnel yet.. I was using self hosted applications of cloudflare.. let me go deep into this and experiment..
You don't need the tunnel if you have a public IP.
Have you added this terraform in your workspace template ? Or is this a one time setup
These Terraform files are completely seperate from whatever Coder has going on.
So it's something you'd run whenever you want a new tunnel set up. Though I guess it's a one-time setup if you just tunnel your reverse proxy.
Or if you don't use tunnels at all.
But it's probably easier to fix it in the GUI you're already using.
Makes sense
I am experimenting with this right away
Thank you so much
No problem, just let me know if you get stuck. If everything works apart from the WebSocket thing, you're only a single setting removed from getting it up and running I believe.
Ah, and by the way, this won't work because Access does not check for tokens in WebSocket connections if I recall correctly. I tried the same thing.
Yesss everything else looks good, I am able to login on the application after authentication with cloudflare, my relayers are working fine, port forwarding too.. SSH is breaking rn due to websockets.. hopefully this will get fixed soon
Aaah got itβ¦ thatβs why I was like whatβa happening.. on local I was able to pass the header and get it working with some other urls
The IP bypass isn't ideal, but the only alternative seems to be setting up Warp for your connections, and I gave up on that after it turned out too involved to be worth the effort.
aaah got it, I can work with IP whitelisting for now I believe
have you used the IP with which machine communicates here to bypass or your own home IP ?
The server running Coder, so my home IP in my case. The Coder back-end sends a request to the hostname you configured, and the health check fails because this request gets blocked by Access. Hence the bypass rule.
So I did that and I was able to get all the checks verified, but when I tried running the VsCode App from coder, it fails
Hmm... any errors in particular?
If you are trying to open it in the official VScode Web, you need to set up some wildcard subdomain stuff as well, but the default vscode-server should work fine.
I guess all of that is configured since if I remove the Zero trust, everything is working fine
Does it just get stuck or are you getting an error?
I am getting an error
Could you share? I may recognise it.