- Notifications
You must be signed in to change notification settings - Fork1k
feat(docs): add wildcard access url documentation page#19713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Uh oh!
There was an error while loading.Please reload this page.
Merged
Changes fromall commits
Commits
Show all changes
9 commits Select commitHold shift + click to select a range
bc3b0f3 feat(docs): add wildcard access url documentation page
kacpersaw6203786 Apply review suggestions
kacpersaw56699f3 Apply suggestions from code review
kacpersawdee94f9 Update docs/admin/networking/wildcard-access-url.md
kacpersawa4ee404 Apply review suggestions
kacpersaw2ff6d2b Fix lint
kacpersawe294d47 Merge branch 'main' into kacpersaw/feat-wildcard-access-url-docs
kacpersaw8ea6f79 Update docs/admin/networking/wildcard-access-url.md
kacpersawb13e804 Apply review suggestions
kacpersawFile filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
139 changes: 139 additions & 0 deletionsdocs/admin/networking/wildcard-access-url.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,139 @@ | ||
| # Wildcard Access URLs | ||
| Wildcard access URLs unlock Coder's full potential for modern development workflows. While optional for basic SSH usage, this feature becomes essential when teams need web applications, development previews, or browser-based tools. **Wildcard access URLs are essential for many development workflows in Coder** - Web IDEs (code-server, VS Code Web, JupyterLab) and some development frameworks work significantly better with subdomain-based access rather than path-based URLs. | ||
| ## Why configure wildcard access URLs? | ||
| ### Key benefits | ||
| - **Enables port access**: Each application gets a unique subdomain with [port support](https://coder.com/docs/user-guides/workspace-access/port-forwarding#dashboard) (e.g. `8080--main--myworkspace--john.coder.example.com`). | ||
| - **Enhanced security**: Applications run in isolated subdomains with separate browser security contexts and prevents access to the Coder API from malicious JavaScript | ||
| - **Better compatibility**: Most applications are designed to work at the root of a hostname rather than at a subpath, making subdomain access more reliable | ||
| ### Applications that require subdomain access | ||
| The following tools require wildcard access URL: | ||
| - **Vite dev server**: Hot module replacement and asset serving issues with path-based routing | ||
| - **React dev server**: Similar issues with hot reloading and absolute path references | ||
| - **Next.js development server**: Asset serving and routing conflicts with path-based access | ||
| - **JupyterLab**: More complex template configuration and security risks when using path-based routing | ||
| - **RStudio**: More complex template configuration and security risks when using path-based routing | ||
| ## Configuration | ||
| `CODER_WILDCARD_ACCESS_URL` is necessary for [port forwarding](port-forwarding.md#dashboard) via the dashboard or running [coder_apps](../templates/index.md) on an absolute path. Set this to a wildcard subdomain that resolves to Coder (e.g. `*.coder.example.com`). | ||
| ```bash | ||
| export CODER_WILDCARD_ACCESS_URL="*.coder.example.com" | ||
| coder server | ||
kacpersaw marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| ``` | ||
kacpersaw marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| ### TLS Certificate Setup | ||
| Wildcard access URLs require a TLS certificate that covers the wildcard domain. You have several options: | ||
| > [!TIP] | ||
| > You can use a single certificate for both the access URL and wildcard access URL. The certificate CN or SANs must match the wildcard domain, such as `*.coder.example.com`. | ||
| #### Direct TLS Configuration | ||
| Configure Coder to handle TLS directly using the wildcard certificate: | ||
| ```bash | ||
| export CODER_TLS_ENABLE=true | ||
| export CODER_TLS_CERT_FILE=/path/to/wildcard.crt | ||
| export CODER_TLS_KEY_FILE=/path/to/wildcard.key | ||
| ``` | ||
| See [TLS & Reverse Proxy](../setup/index.md#tls--reverse-proxy) for detailed configuration options. | ||
| #### Reverse Proxy with Let's Encrypt | ||
| Use a reverse proxy to handle TLS termination with automatic certificate management: | ||
| - [NGINX with Let's Encrypt](../../tutorials/reverse-proxy-nginx.md) | ||
| - [Apache with Let's Encrypt](../../tutorials/reverse-proxy-apache.md) | ||
| - [Caddy reverse proxy](../../tutorials/reverse-proxy-caddy.md) | ||
| ### DNS Setup | ||
| You'll need to configure DNS to point wildcard subdomains to your Coder server: | ||
| > [!NOTE] | ||
| > We do not recommend using a top-level-domain for Coder wildcard access | ||
| > (for example `*.workspaces`), even on private networks with split-DNS. Some | ||
| > browsers consider these "public" domains and will refuse Coder's cookies, | ||
| > which are vital to the proper operation of this feature. | ||
| ```text | ||
| *.coder.example.com A <your-coder-server-ip> | ||
| ``` | ||
deansheather marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
deansheather marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| Or alternatively, using a CNAME record: | ||
| ```text | ||
| *.coder.example.com CNAME coder.example.com | ||
| ``` | ||
| ### Workspace Proxies | ||
| If you're using [workspace proxies](workspace-proxies.md) for geo-distributed teams, each proxy requires its own wildcard access URL configuration: | ||
| ```bash | ||
| # Main Coder server | ||
| export CODER_WILDCARD_ACCESS_URL="*.coder.example.com" | ||
| # Sydney workspace proxy | ||
| export CODER_WILDCARD_ACCESS_URL="*.sydney.coder.example.com" | ||
| # London workspace proxy | ||
| export CODER_WILDCARD_ACCESS_URL="*.london.coder.example.com" | ||
| ``` | ||
| Each proxy's wildcard domain must have corresponding DNS records: | ||
| ```text | ||
| *.sydney.coder.example.com A <sydney-proxy-ip> | ||
| *.london.coder.example.com A <london-proxy-ip> | ||
| ``` | ||
| ## Template Configuration | ||
| In your Coder templates, enable subdomain applications using the `subdomain` parameter: | ||
| ```hcl | ||
| resource "coder_app" "code-server" { | ||
| agent_id = coder_agent.main.id | ||
| slug = "code-server" | ||
| display_name = "VS Code" | ||
| url = "http://localhost:8080" | ||
| icon = "/icon/code.svg" | ||
| subdomain = true | ||
| share = "owner" | ||
| } | ||
| ``` | ||
| ## Troubleshooting | ||
| ### Applications not accessible | ||
| If workspace applications are not working: | ||
| 1. Verify the `CODER_WILDCARD_ACCESS_URL` environment variable is configured correctly: | ||
| - Check the deployment settings in the Coder dashboard (Settings > Deployment) | ||
| - Ensure it matches your wildcard domain (e.g., `*.coder.example.com`) | ||
| - Restart the Coder server if you made changes to the environment variable | ||
| 2. Check DNS resolution for wildcard subdomains: | ||
| ```bash | ||
| dig test.coder.example.com | ||
| nslookup test.coder.example.com | ||
| ``` | ||
| 3. Ensure TLS certificates cover the wildcard domain | ||
| 4. Confirm template `coder_app` resources have `subdomain = true` | ||
| ## See also | ||
| - [Workspace Proxies](workspace-proxies.md) - Improve performance for geo-distributed teams using wildcard URLs | ||
3 changes: 3 additions & 0 deletionsdocs/admin/setup/index.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
5 changes: 5 additions & 0 deletionsdocs/manifest.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.