Hi Andreas, On Wed, Jan 19, 2022 at 08:23:15AM +0100, Andreas Ames wrote: > I am sitting behind a firewall, in my case esp. ZScaler. I am wondering, > what the best way is to whitelist "deb.debian.org" for package management.
I think you may be going about things the wrong way. I don't know what ZScaler is, but if it's some sort of firewall that even disallows your outbound connections to HTTP sites then it seems that you want a very secure environment. deb.debian.org is used to give you a reasonably geographically close mirror and to provide resilience when some backend mirror goes away. These goals seem at odds with wanting to block outbound HTTP access to arbitrary sites. If you have a secure network that must not be able to connect out to arbitrary web sites, I think you probably should be running a local proxy or Debian mirror outside of that network, then allowing your secure network to use that and that alone. > Do I have to whitelist individually all mirror sites that back the CDN? If > so, is there an up-to-date list of the hosts backing "deb.debian.org"? Most CDNs don't list all of their own frontend caches anywhere. I don't know if there is some exception for Fastly's support of deb.debian.org but even if there was I don't think I'd trust it to stay accurate over time. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting