From 67d1b05d8a5946993e76baa0f92d350acdfc31f0 Mon Sep 17 00:00:00 2001 From: Vincent Date: Fri, 13 Dec 2024 12:41:51 +0000 Subject: [PATCH] add denylist configuration --- docs/admin/config/index.mdx | 1 + docs/admin/config/network-filtering.mdx | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 docs/admin/config/network-filtering.mdx diff --git a/docs/admin/config/index.mdx b/docs/admin/config/index.mdx index 6955a1848..79771f170 100644 --- a/docs/admin/config/index.mdx +++ b/docs/admin/config/index.mdx @@ -33,3 +33,4 @@ This page documents how to configure a Sourcegraph instance. For deployment conf - [Restore postgres database from snapshot](/admin/config/restore/) - [Enabling database encryption for sensitive data](/admin/config/encryption) - [Configuring Sourcegraph in private networks](/admin/config/private-network) +- [Restricting outgoing connections](/admin/config/network-filtering) diff --git a/docs/admin/config/network-filtering.mdx b/docs/admin/config/network-filtering.mdx new file mode 100644 index 000000000..dbf5adda0 --- /dev/null +++ b/docs/admin/config/network-filtering.mdx @@ -0,0 +1,16 @@ +# Outoing Connection Filtering +It’s possible for the Sourcegraph instance to deny access to hosts by setting the environment variable `EXTERNAL_DENY_LIST` on the deployment. If you want to only prevent codemonitors and other frontend services to connect to arbitrary hosts, you can set the variable only on the frontend deployment. +The external denylist supports a comma separated list of IP ranges, hostnames and keywords. To block all the internal connections use the “private” keyword, this would block all RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7) IP addresses. Keywords can be combined with ranges and IP addresses so it's very customizable. + +The default denylist is set up to only block localhost and the Cloud metadata service IP address. Expanding the denylist could interfere with internal authentication providers, and they might need to be excluded from the denylist. + +## Example Configuration + +``` +EXTERNAL_DENY_LIST="private,github.com" +``` + +This would deny all connections to hosts in the private network and github.com. + +## Implementation Details +To achieve this, we use [gitea's hostmatcher](https://github.com/go-gitea/gitea/blob/v1.22.6/modules/hostmatcher/hostmatcher.go#L39). This is configured by default for the `ExternalClient`, which is used for all external requests. The common options and configuration can be found [here](https://github.com/sourcegraph/sourcegraph-public-snapshot/blob/main/internal/httpcli/client.go#L406C1-L423C2).