I'm seeking advice on effective methods for managing Git traffic within a corporate setting, particularly focusing on how to restrict `git push` actions while still allowing general outbound access. My goals are to enable all outbound traffic so that developers can browse and clone repositories, while ensuring `git push` operations are limited only to a whitelisted set of Git repositories. I want to prevent accidental or intentional pushes to personal GitHub or GitLab accounts.
Currently, I'm using a Squid proxy with SSL Bump, which works for some HTTPS Git traffic, but I'm running into various issues such as trouble with strict certificate validations and problems with SSL Pinning, along with an inability to inspect SSH-based `git push` commands.
I'm curious about how others handle Git traffic control, and if there are any cleaner solutions out there!
5 Answers
I agree with the other points raised. Managing SSL Bump with Squid is tricky for Git activities. A combination of strict policies and automated monitoring can help, but the execution is difficult in practice.
If you're looking for control, GitHub has some options, but they also require TLS inspection. You can check the tenant restrictions in the GitHub documentation. Still, they aren’t entirely foolproof – combining them with endpoint data loss prevention (DLP) could provide more thorough monitoring of Git commands that aren’t going to whitelisted addresses.
A practical way to enforce restrictions might be to set up a global pre-push hook on your developers' machines. This script can check the remote's hostname against an accepted list to prevent unauthorized pushes.
What’s your main concern? It sounds like you want to avoid accidental pushes to unauthorized repos. There are always technical and administrative hurdles in managing this. Just curious about your overall approach!
Consider using a firewall capable of SSL/TLS inspection and establishing a company policy that restricts the use of only on-premise Git servers, like GitLab or Gitea. This could help manage `git push` traffic while still allowing developers to clone from external repositories. You might also look into blocking the HTTP PUT method to sites like GitHub, but only if your firewall supports Layer 7 filtering. Ultimately, you may need to involve your IT or development managers for policy decisions. Personally, we manage our Fork server with an unofficial rule against using personal Git repositories. SSL inspection can be a real headache, though, so it's worth being cautious here.
Absolutely. We tried SSL inspection with Squid to manage HTTP PUTs, and it quickly spiraled out of control. Just not worth the hassle.
Good luck with that! Developers can easily bypass these hooks by tweaking settings. We’ve tried this, but it’s not foolproof since many repositories come with their own hooks.