Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to best whitelist CDN deb.debian.org?
523 views
Skip to first unread message
Andreas Ames
Jan 19, 2022, 2:30:05 AM1/19/22
to
Hello all,
I am sitting behind a firewall, in my case esp. ZScaler. I am wondering, what the best way is to whitelist "deb.debian.org" for package management. Do I have to whitelist individually all mirror sites that back the CDN? If so, is there an up-to-date list of the hosts backing "deb.debian.org"?
Offtopic: Do you know, whether services like ZScaler provide dedicated support for CDNs?
Thanks in advance,
Andreas
Tim Woodall
Jan 19, 2022, 4:20:06 AM1/19/22
to
Don't know anything about ZScaler but I use the peek and splice feature
of squid to block/allow domains.
(you need to build custom debian packages for this). Of course, this
only works as long as ESNI can be blocked.
Tim.
of squid to block/allow domains.
(you need to build custom debian packages for this). Of course, this
only works as long as ESNI can be blocked.
Tim.
Andy Smith
Jan 19, 2022, 9:30:04 AM1/19/22
to
Hi Andreas,
On Wed, Jan 19, 2022 at 08:23:15AM +0100, Andreas Ames wrote:
> I am sitting behind a firewall, in my case esp. ZScaler. I am wondering,
> what the best way is to whitelist "deb.debian.org" for package management.
I think you may be going about things the wrong way.
I don't know what ZScaler is, but if it's some sort of firewall that
even disallows your outbound connections to HTTP sites then it seems
that you want a very secure environment.
deb.debian.org is used to give you a reasonably geographically close
mirror and to provide resilience when some backend mirror goes away.
These goals seem at odds with wanting to block outbound HTTP access
to arbitrary sites.
If you have a secure network that must not be able to connect out to
arbitrary web sites, I think you probably should be running a local
proxy or Debian mirror outside of that network, then allowing your
secure network to use that and that alone.
> Do I have to whitelist individually all mirror sites that back the CDN? If
> so, is there an up-to-date list of the hosts backing "deb.debian.org"?
Most CDNs don't list all of their own frontend caches anywhere. I
don't know if there is some exception for Fastly's support of
deb.debian.org but even if there was I don't think I'd trust it to
stay accurate over time.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
On Wed, Jan 19, 2022 at 08:23:15AM +0100, Andreas Ames wrote:
> I am sitting behind a firewall, in my case esp. ZScaler. I am wondering,
> what the best way is to whitelist "deb.debian.org" for package management.
I don't know what ZScaler is, but if it's some sort of firewall that
even disallows your outbound connections to HTTP sites then it seems
that you want a very secure environment.
deb.debian.org is used to give you a reasonably geographically close
mirror and to provide resilience when some backend mirror goes away.
These goals seem at odds with wanting to block outbound HTTP access
to arbitrary sites.
If you have a secure network that must not be able to connect out to
arbitrary web sites, I think you probably should be running a local
proxy or Debian mirror outside of that network, then allowing your
secure network to use that and that alone.
> Do I have to whitelist individually all mirror sites that back the CDN? If
> so, is there an up-to-date list of the hosts backing "deb.debian.org"?
don't know if there is some exception for Fastly's support of
deb.debian.org but even if there was I don't think I'd trust it to
stay accurate over time.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Tim Woodall
Jan 19, 2022, 9:40:04 AM1/19/22
to
one site. I had hopes that ipv6 might sort this out but I think there's
a push to keep multiple sites on one ip to stop people working out the
site from the ip.
Andy Smith
Jan 19, 2022, 9:50:05 AM1/19/22
to
On Wed, Jan 19, 2022 at 02:20:08PM +0000, Andy Smith wrote:
> If you have a secure network that must not be able to connect out to
> arbitrary web sites, I think you probably should be running a local
> proxy or Debian mirror outside of that network, then allowing your
> secure network to use that and that alone.
I forgot to add: a good option might be apt-cacher-ng which is
> If you have a secure network that must not be able to connect out to
> arbitrary web sites, I think you probably should be running a local
> proxy or Debian mirror outside of that network, then allowing your
> secure network to use that and that alone.
packaged in Debian.
You can list the sites that are allowed e.g. deb.debian.org and then
you'd set it as a proxy on the hosts in your secure network. They'd
only be able to download stuff from http://deb.debian.org/… and
you'd get caching in there as a bonus. It would not be possible to
use it to contact any other site (by URL).
You can probably do a similar thing with other more general web
proxies like squid.
0 new messages