Help deploying Coder in offline/internal network with external domain & SSL (behind uni IT proxy)
Hi yall,
I'm trying to deploy Coder in a university lab environment for my prof, but I'm running into challenges due to network restrictions and proxy handling by the university's IT department.
⚙️ Goal
I need to run Coder in offline/internal mode on a server within our local network (e.g., 10.0.x.xxx:1512), and then have the university IT map a public domain (e.g., university.demo.com) to this internal IP with SSL properly configured.
🧩 Constraints
- IT controls all HTTPS handling, including issuing SSL certs and domain routing.
- I cannot directly expose the server to the internet or manage SSL certs myself.
- They require me to run the service locally first, and then submit a request to proxy it externally with SSL.
- Coder’s installation script seems to auto-handle proxy/SSL and expects to be publicly reachable or manage the proxy config itself.
🧠 What I'm trying to achieve
- Installing Coder using the provided script.
- Running it on an internal port like 1512.
- Avoiding any auto-configuration of HTTPS or proxy (I want to serve it without SSL locally, and let IT handle SSL via reverse proxy).
❓My questions
- How can I configure Coder to run without SSL on a custom port (e.g., 1512) internally?
- Can I fully disable Coder’s automatic HTTPS handling or proxy assumptions?
- What’s the best-practice for running Coder in an internal lab environment where SSL and public access are managed externally?
- Any recommendations on configuration flags or environment variables I should use?
Thanks in advance! I’d appreciate any guidance from those who’ve done similar deployments behind a reverse proxy or in isolated environments.
11 Replies
<#1361177612868780193>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
GitHub
Can CODER_WILDCARD_ACCESS_URL be configured with a *-coder.example....
Hi there, I'm currently setting up Coder in our organization and came across a potential limitation regarding the CODER_WILDCARD_ACCESS_URL configuration. According to the documentation, it'...
i'll take a look shortly
fyi we check both channels on a regular basis
Understood 🫡 , sorry for the trouble, i'll delete the discussion on github and update the infomation in here, thanks for your support
no worries! it just makes it a bit tougher to follow what's going on!
Since I've deleted closed the discussion on github, i'll update the information from the discussion i create here for continuation:
According to the documentation, it's recommended to use a wildcard domain like:
CODER_WILDCARD_ACCESS_URL=.coder.example.com
However, I have made requests to the IT dept, and due to some internal policy, they're unable to use subdomains directly under coder.example.com. Instead, we are only permitted to use wildcard domains in the format:
"-coder.example.com"
Is it possible to configure CODER_WILDCARD_ACCESS_URL to support this kind of wildcard pattern (*-coder.example.com)? If not currently supported, are there any suggested workarounds or plans to support this structure?
How can I configure Coder to run without SSL on a custom port (e.g., 1512) internally?use
CODER_HTTP_ADDRESS
e.g set it to 10.0.x.x:1512
Can fully disable Coder's automatic HTTPS handling or proxy assumptions?HTTP is used by default and HTTP/s is only on when configured. Regarding the proxy, AFAIK it just uses Golang's default way of handling proxies, but maybe there's some shenanigans when running Terraform
What's the best-practice for running Coder in an internal lab environment where SSL and public access are managed externally?I'd run Coder with TLS on just to secure the connexion with their reverse-proxy if possible, the cert doesn't have to be valid but at least it won't be communicating over plain text. But it's likely that the IT dept won't support this use-case
Any recommendations on configuration flags or environment variables should use?Not really, depends on your use-case! Coder doesn't support this atm quick question though, wouldn't you need to get each new domain approved?
Thanks for the information, Idk but our IT dept has an internal site for approving those kind of requests, I think they have some kind of services to track and auto grant access to new domain. But from my side, I just need to get the request approved.
what i mean is that with this *-coder.example.com domains you'd need an ssl cert for each coder domain
they are dynamic based on the workspace name, user name, port number and other things
so if you needed to get them all approved it just wouldn't be feasible
yeah, the IT dept has told me today that this -coder.example.com domains approved would not be possible. I think i might have missed something.
I currently deploying by this guide https://github.com/coder/coder/blob/main/docs/tutorials/reverse-proxy-nginx.md, with the change of CODER_WILDCARD_ACCESS_URL=-coder.example.com. Then in step 2, i request the IT dept to point https://coder.example.com to my server public ip. Then I continue with setting up coder by docker compose as usual. All the nginx config step and certificate creation and dns credentials is skipped. Does my setup is correct or it still need some changes?
Hi @Vũ Huy you can start without a wildcard domain
Most of our modules support running without a subdomain too