Workspace proxies provide low-latency experiences for geo-distributed teams.

Coder's networking does a best effort to make direct connections to a workspace.

In situations where this is not possible, such as connections via the web

terminal and[web IDEs](../../user-guides/workspace-access/README.md#web-ides), workspace proxies are able to

reduce the amount of distance the network traffic needs to travel.

A workspace proxy is a relay connection a developer can choose to use when

connecting with their workspace over SSH, a workspace app, port forwarding, etc.

Dashboard connections and API calls (e.g. the workspaces list) are not served

over workspace proxies.


Each workspace proxy should be a unique instance. At no point should 2 workspace

proxy instances share the same authentication token. They only require port 443

to be open and are expected to have network connectivity to the coderd

dashboard. Workspace proxies**do not** make any database connections.

Workspace proxies can be used in the browser by navigating to the user

- The[Coder CLI](../../reference/cli/README.md) must be installed and authenticated as a user with

the Owner role.

Create the workspace proxy and make sure to save the returned authentication

token for said proxy. This is the token the workspace proxy will use to

authenticate back to primary coderd.

$ coder wsproxy create --name=newyork --display-name="USA East" --icon="/emojis/2194.png"

Workspace Proxy"newyork" created successfully. Save this token, it will not be shown again.

Token: 2fb6500b-bb47-4783-a0db-dedde895b865:05271b4ef9432bac14c02b3c56b5a2d7f05453718a1f85ba7e772c0a096c7175

To verify it was created.

$ coder wsproxy ls

NAME URL STATUS STATUS

newyork unregistered

Deploying the workspace proxy will also register the proxy with coderd and make

the workspace proxy usable. If the proxy deployment is successful,

`coder wsproxy ls` will show an`ok` status code:

Other Status codes:

-`unregistered` : The workspace proxy was created, and not yet deployed

-`unreachable` : The workspace proxy was registered, but is not responding.

Likely the proxy went offline.

-`unhealthy` : The workspace proxy is reachable, but has some issue that is

preventing the proxy from being used.`coder wsproxy ls` should show the error

message.

-`ok` : The workspace proxy is healthy and working properly!

Workspace proxy configuration overlaps with a subset of the coderd

configuration. To see the full list of configuration options:

CODER_PRIMARY_ACCESS_URL="https://<url_of_coderd_dashboard>"

CODER_PROXY_SESSION_TOKEN="<session_token_from_proxy_create>"

CODER_HTTP_ADDRESS=0.0.0.0:80

CODER_TLS_ADDRESS=0.0.0.0:443

CODER_ACCESS_URL="https://<access_url_of_proxy>"

CODER_WILDCARD_ACCESS_URL="*.<app_hostname_of_proxy>"

CODER_TLS_ENABLE=true

CODER_TLS_CLIENT_AUTH=none

CODER_TLS_CERT_FILE="<cert_file_location>"

CODER_TLS_KEY_FILE="<key_file_location>"

Make a`values-wsproxy.yaml` with the workspace proxy configuration:

coder:

env:

-name:CODER_PRIMARY_ACCESS_URL

value:"https://<url_of_coderd_dashboard>"

-name:CODER_PROXY_SESSION_TOKEN

value:"<session_token_from_proxy_create>"

-name:CODER_ACCESS_URL

value:"https://<access_url_of_proxy>"

-name:CODER_WILDCARD_ACCESS_URL

value:"*.<app_hostname_of_proxy>"

tls:

secretNames:

-kubernetes-wsproxy-secret

workspaceProxy:true

Test that the workspace proxy is reachable with`curl -vvv`. If for some reason,

the Coder dashboard still shows the workspace proxy is`UNHEALTHY`, scale down

and up the deployment's replicas.

coder wsproxy server

If you've installed Coder via a[system package](../../install/README.md), you can

configure the workspace proxy by settings in

To run workspace proxy as a system service on the host:

sudo systemctlenable --now coder-workspace-proxy

journalctl -u coder-workspace-proxy.service -b

To restart workspace proxy after applying system changes:

sudo systemctl restart coder-workspace-proxy

Modify the default entrypoint to run a workspace proxy server instead of a

regular Coder server.

Change the provided

file to include a custom entrypoint:

image: ghcr.io/coder/coder:${CODER_VERSION:-latest}

docker run --rm -it --entrypoint /opt/coder ghcr.io/coder/coder:latest wsproxy server

FROM ghcr.io/coder/coder:latest

ENTRYPOINT ["/opt/coder","wsproxy","server"]

Users can select a workspace proxy at the top-right of the browser-based Coder

dashboard. Workspace proxy preferences are cached by the web browser. If a proxy

goes offline, the session will fall back to the primary proxy. This could take

up to 60 seconds.


Coder workspace proxy exports metrics via the HTTP endpoint, which can be

enabled using either the environment variable`CODER_PROMETHEUS_ENABLE` or the

flag`--prometheus-enable`.

The Prometheus endpoint address is`http://localhost:2112/` by default. You can

use either the environment variable`CODER_PROMETHEUS_ADDRESS` or the flag

`--prometheus-address <network-interface>:<port>` to select a different listen

address.