On Wed, 19 Jan 2022, Andy Smith wrote:
Hi Andreas,
On Wed, Jan 19, 2022 at 08:23:15AM +0100, Andreas Ames wrote:
I am sitting behind a firewall, in my case esp. ZScaler. I am wondering,
what the best way is to whitelist "deb.debian.org" for package management.
I think you may be going about things the wrong way.
I don't know what ZScaler is, but if it's some sort of firewall that
even disallows your outbound connections to HTTP sites then it seems
that you want a very secure environment.
deb.debian.org is used to give you a reasonably geographically close
mirror and to provide resilience when some backend mirror goes away.
These goals seem at odds with wanting to block outbound HTTP access
to arbitrary sites.
If you have a secure network that must not be able to connect out to
arbitrary web sites, I think you probably should be running a local
proxy or Debian mirror outside of that network, then allowing your
secure network to use that and that alone.
Do I have to whitelist individually all mirror sites that back the CDN? If
so, is there an up-to-date list of the hosts backing "deb.debian.org"?
Most CDNs don't list all of their own frontend caches anywhere. I
don't know if there is some exception for Fastly's support of
deb.debian.org but even if there was I don't think I'd trust it to
stay accurate over time.
You cannot even guarantee that the same ip won't be used for more than
one site. I had hopes that ipv6 might sort this out but I think there's
a push to keep multiple sites on one ip to stop people working out the
site from the ip.
