From 878965e226ab78404db779d2f4732e3e1a473e19 Mon Sep 17 00:00:00 2001 From: Vincent Date: Wed, 18 Dec 2024 22:42:26 +0100 Subject: [PATCH 1/3] add allowlist documentation --- docs/admin/config/network-filtering.mdx | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/docs/admin/config/network-filtering.mdx b/docs/admin/config/network-filtering.mdx index dbf5adda0..7bb2d45ea 100644 --- a/docs/admin/config/network-filtering.mdx +++ b/docs/admin/config/network-filtering.mdx @@ -1,10 +1,16 @@ # Outoing Connection Filtering -It’s possible for the Sourcegraph instance to deny access to hosts by setting the environment variable `EXTERNAL_DENY_LIST` on the deployment. If you want to only prevent codemonitors and other frontend services to connect to arbitrary hosts, you can set the variable only on the frontend deployment. -The external denylist supports a comma separated list of IP ranges, hostnames and keywords. To block all the internal connections use the “private” keyword, this would block all RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7) IP addresses. Keywords can be combined with ranges and IP addresses so it's very customizable. +Sourcegraph supports outbound connection filtering. Both for regular external connections and so-called "untrusted" connections, where a regular user can provide a URL to make an outbound connection to. + +The allow- and denylist support a comma separated list of IP ranges, hostnames and keywords. To block or allow all the internal connections use the “private” keyword, this would block all RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7) IP addresses. Keywords can be combined with ranges and IP addresses so it's very customizable. + +## Trusted External Connections +It’s possible for the Sourcegraph instance to deny access to external hosts by setting the environment variable `EXTERNAL_DENY_LIST` on the deployment. The default denylist is set up to only block localhost and the Cloud metadata service IP address. Expanding the denylist could interfere with internal authentication providers, and they might need to be excluded from the denylist. -## Example Configuration +### Example Configuration + +Adding a denylist can be done by setting the environment variable `EXTERNAL_DENY_LIST` on the deployment. ``` EXTERNAL_DENY_LIST="private,github.com" @@ -12,5 +18,16 @@ EXTERNAL_DENY_LIST="private,github.com" This would deny all connections to hosts in the private network and github.com. +## Untrusted External Connections +Codemonitors, webhooks and Cody URL context are limited to only be able to access public IP addresses by default. This behavior can be changed with the `UNTRUSTED_EXTERNAL_ALLOW_LIST` environment variable, which configures the allowlist. + +### Example Configuration +# +If you want Cody to use context from an internal server, you can add the internal server's IP address to the allowlist: + +``` +UNTRUSTED_EXTERNAL_ALLOW_LIST="192.168.1.53" +``` + ## Implementation Details To achieve this, we use [gitea's hostmatcher](https://github.com/go-gitea/gitea/blob/v1.22.6/modules/hostmatcher/hostmatcher.go#L39). This is configured by default for the `ExternalClient`, which is used for all external requests. The common options and configuration can be found [here](https://github.com/sourcegraph/sourcegraph-public-snapshot/blob/main/internal/httpcli/client.go#L406C1-L423C2). From c0fea7d1cdc276c9a6066d5ba0663ca467b638ba Mon Sep 17 00:00:00 2001 From: Vincent Date: Wed, 18 Dec 2024 22:44:36 +0100 Subject: [PATCH 2/3] add keyword --- docs/admin/config/network-filtering.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/admin/config/network-filtering.mdx b/docs/admin/config/network-filtering.mdx index 7bb2d45ea..474ecf353 100644 --- a/docs/admin/config/network-filtering.mdx +++ b/docs/admin/config/network-filtering.mdx @@ -23,10 +23,10 @@ Codemonitors, webhooks and Cody URL context are limited to only be able to acces ### Example Configuration # -If you want Cody to use context from an internal server, you can add the internal server's IP address to the allowlist: +If you want Cody to use context from an internal server in addition to internet access, you can add the internal server's IP address to the allowlist: ``` -UNTRUSTED_EXTERNAL_ALLOW_LIST="192.168.1.53" +UNTRUSTED_EXTERNAL_ALLOW_LIST="external,192.168.1.53" ``` ## Implementation Details From e10fc34763c8cdce49226c8fa5a3c2884c386335 Mon Sep 17 00:00:00 2001 From: Vincent Date: Wed, 18 Dec 2024 21:58:56 +0000 Subject: [PATCH 3/3] remove # Co-authored-by: Camden Cheek --- docs/admin/config/network-filtering.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/admin/config/network-filtering.mdx b/docs/admin/config/network-filtering.mdx index 474ecf353..10c0075c1 100644 --- a/docs/admin/config/network-filtering.mdx +++ b/docs/admin/config/network-filtering.mdx @@ -22,7 +22,6 @@ This would deny all connections to hosts in the private network and github.com. Codemonitors, webhooks and Cody URL context are limited to only be able to access public IP addresses by default. This behavior can be changed with the `UNTRUSTED_EXTERNAL_ALLOW_LIST` environment variable, which configures the allowlist. ### Example Configuration -# If you want Cody to use context from an internal server in addition to internet access, you can add the internal server's IP address to the allowlist: ```