Network isolation tool for monitoring and restricting HTTP/HTTPS requests
Usage
coder boundary [flags] [args...]Description
boundary creates an isolated network environment for target processes, intercepting HTTP/HTTPS traffic through a transparent proxy that enforces user-defined allow rules.Options
—config
| Type | yaml-config-path |
| Environment | $BOUNDARY_CONFIG |
Path to YAML config file.
—allow
| Type | string |
| Environment | $BOUNDARY_ALLOW |
Allow rule (repeatable). These are merged with allowlist from config file. Format: “pattern” or “METHOD[,METHOD] pattern”.
—
| Type | string-array |
| YAML | allowlist |
Allowlist rules from config file (YAML only).
—log-level
| Type | string |
| Environment | $BOUNDARY_LOG_LEVEL |
| YAML | log_level |
| Default | warn |
Set log level (error, warn, info, debug).
—log-dir
| Type | string |
| Environment | $BOUNDARY_LOG_DIR |
| YAML | log_dir |
Set a directory to write logs to rather than stderr.
—proxy-port
| Type | int |
| Environment | $PROXY_PORT |
| YAML | proxy_port |
| Default | 8080 |
Set a port for HTTP proxy.
—pprof
| Type | bool |
| Environment | $BOUNDARY_PPROF |
| YAML | pprof_enabled |
Enable pprof profiling server.
—pprof-port
| Type | int |
| Environment | $BOUNDARY_PPROF_PORT |
| YAML | pprof_port |
| Default | 6060 |
Set port for pprof profiling server.
—jail-type
| Type | string |
| Environment | $BOUNDARY_JAIL_TYPE |
| YAML | jail_type |
| Default | nsjail |
Jail type to use for network isolation. Options: nsjail (default), landjail.
—use-real-dns
| Type | bool |
| Environment | $BOUNDARY_USE_REAL_DNS |
| YAML | use_real_dns |
Use real DNS in the jail instead of the dummy DNS (allows DNS exfiltration). Default: false.
—no-user-namespace
| Type | bool |
| Environment | $BOUNDARY_NO_USER_NAMESPACE |
| YAML | no_user_namespace |
Do not create a user namespace. Use in restricted environments that disallow user NS (e.g. Bottlerocket in EKS auto-mode).
—disable-audit-logs
| Type | bool |
| Environment | $DISABLE_AUDIT_LOGS |
| YAML | disable_audit_logs |
Disable sending of audit logs to the workspace agent when set to true.
—log-proxy-socket-path
| Type | string |
| Environment | $CODER_AGENT_BOUNDARY_LOG_PROXY_SOCKET_PATH |
| Default | /tmp/boundary-audit.sock |
Path to the socket where the boundary log proxy server listens for audit logs.
—version
| Type | bool |
Print version information and exit.