Re: How to best whitelist CDN deb.debian.org?
On Wed, Jan 19, 2022 at 02:20:08PM +, Andy Smith wrote: > If you have a secure network that must not be able to connect out to > arbitrary web sites, I think you probably should be running a local > proxy or Debian mirror outside of that network, then allowing your > secure network to use that and that alone. I forgot to add: a good option might be apt-cacher-ng which is packaged in Debian. You can list the sites that are allowed e.g. deb.debian.org and then you'd set it as a proxy on the hosts in your secure network. They'd only be able to download stuff from http://deb.debian.org/… and you'd get caching in there as a bonus. It would not be possible to use it to contact any other site (by URL). You can probably do a similar thing with other more general web proxies like squid. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: How to best whitelist CDN deb.debian.org?
On Wed, 19 Jan 2022, Andy Smith wrote: Hi Andreas, On Wed, Jan 19, 2022 at 08:23:15AM +0100, Andreas Ames wrote: I am sitting behind a firewall, in my case esp. ZScaler. I am wondering, what the best way is to whitelist "deb.debian.org" for package management. I think you may be going about things the wrong way. I don't know what ZScaler is, but if it's some sort of firewall that even disallows your outbound connections to HTTP sites then it seems that you want a very secure environment. deb.debian.org is used to give you a reasonably geographically close mirror and to provide resilience when some backend mirror goes away. These goals seem at odds with wanting to block outbound HTTP access to arbitrary sites. If you have a secure network that must not be able to connect out to arbitrary web sites, I think you probably should be running a local proxy or Debian mirror outside of that network, then allowing your secure network to use that and that alone. Do I have to whitelist individually all mirror sites that back the CDN? If so, is there an up-to-date list of the hosts backing "deb.debian.org"? Most CDNs don't list all of their own frontend caches anywhere. I don't know if there is some exception for Fastly's support of deb.debian.org but even if there was I don't think I'd trust it to stay accurate over time. You cannot even guarantee that the same ip won't be used for more than one site. I had hopes that ipv6 might sort this out but I think there's a push to keep multiple sites on one ip to stop people working out the site from the ip.
Re: How to best whitelist CDN deb.debian.org?
Hi Andreas, On Wed, Jan 19, 2022 at 08:23:15AM +0100, Andreas Ames wrote: > I am sitting behind a firewall, in my case esp. ZScaler. I am wondering, > what the best way is to whitelist "deb.debian.org" for package management. I think you may be going about things the wrong way. I don't know what ZScaler is, but if it's some sort of firewall that even disallows your outbound connections to HTTP sites then it seems that you want a very secure environment. deb.debian.org is used to give you a reasonably geographically close mirror and to provide resilience when some backend mirror goes away. These goals seem at odds with wanting to block outbound HTTP access to arbitrary sites. If you have a secure network that must not be able to connect out to arbitrary web sites, I think you probably should be running a local proxy or Debian mirror outside of that network, then allowing your secure network to use that and that alone. > Do I have to whitelist individually all mirror sites that back the CDN? If > so, is there an up-to-date list of the hosts backing "deb.debian.org"? Most CDNs don't list all of their own frontend caches anywhere. I don't know if there is some exception for Fastly's support of deb.debian.org but even if there was I don't think I'd trust it to stay accurate over time. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting
Re: How to best whitelist CDN deb.debian.org?
Don't know anything about ZScaler but I use the peek and splice feature of squid to block/allow domains. (you need to build custom debian packages for this). Of course, this only works as long as ESNI can be blocked. Tim. On Wed, 19 Jan 2022, Andreas Ames wrote: Hello all, I am sitting behind a firewall, in my case esp. ZScaler. I am wondering, what the best way is to whitelist "deb.debian.org" for package management. Do I have to whitelist individually all mirror sites that back the CDN? If so, is there an up-to-date list of the hosts backing "deb.debian.org"? Offtopic: Do you know, whether services like ZScaler provide dedicated support for CDNs? Thanks in advance, Andreas
How to best whitelist CDN deb.debian.org?
Hello all, I am sitting behind a firewall, in my case esp. ZScaler. I am wondering, what the best way is to whitelist "deb.debian.org" for package management. Do I have to whitelist individually all mirror sites that back the CDN? If so, is there an up-to-date list of the hosts backing "deb.debian.org"? Offtopic: Do you know, whether services like ZScaler provide dedicated support for CDNs? Thanks in advance, Andreas