Trying to figure out how to lock down my CI runners as much as possible.
-
@bencc @whitequark This is a closed system and I already have an in house TLS PKI for other reasons. I have no problem doing a MITM CA if that's the way to do it.
@azonenberg @whitequark possibly that's more work to set up, but doesn't rely on the entire software stack obeying http_proxy/https_proxy env vars for success. I'd not expect 100% there, so possibly MITM would be more reliable. Plus you get find out anything bundles its own CA list...
-
@azonenberg @whitequark possibly that's more work to set up, but doesn't rely on the entire software stack obeying http_proxy/https_proxy env vars for success. I'd not expect 100% there, so possibly MITM would be more reliable. Plus you get find out anything bundles its own CA list...
@bencc @whitequark i only intend to do git clones and nothing else
-
Trying to figure out how to lock down my CI runners as much as possible.
They need to be able to reach out to GitHub to HTTPS check out the source code, but I can't easily add a firewall rule for "can only clone this one repo from github".
Ideas beyond "open port 443 outbound to the entire internet"?
@azonenberg Can you use ssh instead of https for the checkout? Seems it might be easier to lock down to only authorized connections.
-
@azonenberg Can you use ssh instead of https for the checkout? Seems it might be easier to lock down to only authorized connections.
@lluad I ideally want to limit to specific repositories so i think https mitm/stripping proxy is the only viable route here
-
R relay@relay.infosec.exchange shared this topic
