Dev URLs configuration
Hey Team, I am new to coder environment and I was exploring this feature called Dev URls. One of the use-cases in our org is to give developers capability to launch their workspaces (which has both BE and FE integrated) and available on a public accessible URL instead of port forwarding. Is this something which we can achieve by dev URLs ? If yes, how is the experience ? Will I get a URL by default anytime I launch a new workspace or do i need to do infra changes for every workspace i launch ?
I went through this documentation but not very clear
https://s.cdr.dev/docs/admin/devurls/
Thanks and looking forward
26 Replies
<#1297502991754072124>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
hey @Nipun Agarwal Coder v1 has reached EoL, you should look into setting up v2!
aaah, in v2 do we have something like devUrls ?
also I want to restrict downloading of files on my workspace. How can I do it ?
yes!
not sure what you mean
you can disable ssh
but downloading files will always be possible in a way or another
Basically I have some sensitive code in the workspace that I don’t want anyone to access.. how should I restrict downloading ? If I just enable vsCode browser editor, is there any way to disable files download from that ?
Is there any documentation that I can follow to setup ?
so basically
you are the only one to have access to the workspace unless you explicitly share it
so only you and the owner of the server (which I suppose is also you) will have access to it
all you need to do is set up a wildcard access url and it will enable port forwarding and coder_apps
thats true but the way I was thinking was when a remote developer launches a workspace, all the code will be cloned on the startup. The developer wont have direct code access. Now since they have ability to download files, they can still download code from there. I want to restrict this since we are a financial org
are you using a service account to clone the code?
yes
i see what you mean, you can restrict it/make it harder but since they're programming on it they will always be able to get a copy
even if you disabled all downloading the code is still displaying on their machine so they can copy/paste it
what i mean is that no matter how hard it is it'll always be possible and someone who wants to do it will likely do it
True, is there any way to make it harder though with current set of features ?
but in that case I would recommend blocking SSH in the template
that way they can't use SFTP
how can I block SSH ?
you can hide it in the agent's
display_apps setting
https://registry.terraform.io/providers/coder/coder/latest/docs/resources/agent#nested-schema-for-display_appsbut in terms of actually disabling it, it might be an enterprise feature
Got it, even if I disable SSH, someone can use web editor to download right ? VsCode gives that option 😅
yes
and i mean since you clone the repo they might also be able to leak the token and download it themselves depending on how it's set up
that's why I would still recommend using individual accounts (even if they don't have access to it), that way if they decide to go rogue, your audit logs will be clearer to analyze
but I guess it's up to personal preference
are you going to any conventions ? (e.g KubeCon, Open Source Summit, etc)
we'll be at SRECon EMEA in 2 weeks
There must be some way right where I can use secrets in my terraform code to fetch this token on runtime and clone the repo during startup of the workspace ?
Unfortunately no 😦 would love to catchup otherwise
oh yeah you can
Is there any documentation/resources that I can follow ? Since I am new to this
Also circling back on this, I have set this variable and have wildcsrd domain too and have setup with nginx.. but when I port forward it still does on my local host, I am not getting any unique URL. Am I missing something ?
so you can either have users log in to their own git account via External Auth, which is usually what we recommend
or if you want to use a specific secret then we recommend using a secrets store like HashiCorp Vault and the corresponding terraform provider
could you show what you mean?
like a screenshot or something
I am able to port forward on a public url now but getting this error when trying to open. I am using lets encrypt certificates with nginx reverse proxy. I followed this article
https://coder.com/docs/tutorials/reverse-proxy-nginx
To prevent copying/pasting and probably downloading, you may look into using a secure browser with Coder. You will also need to disable ssh access to workspaces and only allow browser access using the secure browser.
One possible method is using Island browser.