Add --disable-proxy option (#6349)

src/node/cli.ts

@@ -51,6 +51,7 @@ export interface UserProvidedCodeArgs {
   "disable-file-downloads"?: boolean
   "disable-workspace-trust"?: boolean
   "disable-getting-started-override"?: boolean
+  "disable-proxy"?: boolean
   "session-socket"?: string
 }
 
@@ -178,6 +179,10 @@ export const options: Options<Required<UserProvidedArgs>> = {
     type: "boolean",
     description: "Disable the coder/coder override in the Help: Getting Started page.",
   },
+  "disable-proxy": {
+    type: "boolean",
+    description: "Disable domain and path proxy routes.",
+  },
   // --enable can be used to enable experimental features. These features
   // provide no guarantees.
   enable: { type: "string[]" },
@@ -564,6 +569,10 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
     args["disable-getting-started-override"] = true
   }
 
+  if (process.env.CS_DISABLE_PROXY?.match(/^(1|true)$/)) {
+    args["disable-proxy"] = true
+  }
+
   const usingEnvHashedPassword = !!process.env.HASHED_PASSWORD
   if (process.env.HASHED_PASSWORD) {
     args["hashed-password"] = process.env.HASHED_PASSWORD

src/node/http.ts

@@ -75,6 +75,25 @@ export const replaceTemplates = <T extends object>(
     .replace("{{OPTIONS}}", () => escapeJSON(serverOptions))
 }
 
+/**
+ * Throw an error if proxy is not enabled. Call `next` if provided.
+ */
+export const ensureProxyEnabled = (req: express.Request, _?: express.Response, next?: express.NextFunction): void => {
+  if (!proxyEnabled(req)) {
+    throw new HttpError("Forbidden", HttpCode.Forbidden)
+  }
+  if (next) {
+    next()
+  }
+}
+
+/**
+ * Return true if proxy is enabled.
+ */
+export const proxyEnabled = (req: express.Request): boolean => {
+  return !req.args["disable-proxy"]
+}
+
 /**
  * Throw an error if not authorized. Call `next` if provided.
  */

src/node/routes/domainProxy.ts

@@ -1,6 +1,6 @@
 import { Request, Router } from "express"
 import { HttpCode, HttpError } from "../../common/http"
-import { getHost, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
+import { getHost, ensureProxyEnabled, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
 import { proxy } from "../proxy"
 import { Router as WsRouter } from "../wsRouter"
 
@@ -59,6 +59,8 @@ router.all("*", async (req, res, next) => {
     return next()
   }
 
+  ensureProxyEnabled(req)
+
   // Must be authenticated to use the proxy.
   const isAuthenticated = await authenticated(req)
   if (!isAuthenticated) {
@@ -100,6 +102,8 @@ wsRouter.ws("*", async (req, _, next) => {
   if (!port) {
     return next()
   }
+
+  ensureProxyEnabled(req)
   ensureOrigin(req)
   await ensureAuthenticated(req)
   proxy.ws(req, req.ws, req.head, {

src/node/routes/pathProxy.ts

@@ -3,7 +3,7 @@ import * as path from "path"
 import * as qs from "qs"
 import * as pluginapi from "../../../typings/pluginapi"
 import { HttpCode, HttpError } from "../../common/http"
-import { authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
+import { ensureProxyEnabled, authenticated, ensureAuthenticated, ensureOrigin, redirect, self } from "../http"
 import { proxy as _proxy } from "../proxy"
 
 const getProxyTarget = (req: Request, passthroughPath?: boolean): string => {
@@ -21,6 +21,8 @@ export async function proxy(
     passthroughPath?: boolean
   },
 ): Promise<void> {
+  ensureProxyEnabled(req)
+
   if (!(await authenticated(req))) {
     // If visiting the root (/:port only) redirect to the login page.
     if (!req.params[0] || req.params[0] === "/") {
@@ -50,6 +52,7 @@ export async function wsProxy(
     passthroughPath?: boolean
   },
 ): Promise<void> {
+  ensureProxyEnabled(req)
   ensureOrigin(req)
   await ensureAuthenticated(req)
   _proxy.ws(req, req.ws, req.head, {