-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configure apps to use HTTPS egress-proxy #1064
Comments
@asteel-gsa and I were having trouble confirming whether So we might need to make a custom ClamAV image or else deploy ClamAV with a buildpack to make the necessary changes to the config file at app startup. |
We resolved a previous problem by making an upstream PR that was accepted within one day; I'm going to try the same thing here. |
Summary of the approach: In the |
For the
So we need to set the value for the |
This was looking iffy, so we sidestepped the need for swagger to use the egress-proxy by having it point to a private route on the |
From DMs with Alex today:
|
Added a PR for clamav-rest: PR 20 |
This PR should enable the proxy for the |
Summary of where we are here:
|
@asteel-gsa Given no response from the upstream I guess we will need to start maintaining your fork. Want to move |
Sure! What would be the best way to move it into GSA-TTS? |
|
Still to do:
|
Draft PR for FAC: Updating outputs for https proxy |
As of this week's prod deploy, we believe this is done. |
We still need to configure ClamAV to use the proxy. |
At a glance
In order to ensure apps can make outbound HTTPS requests to necessary services even after their space is egress-restricted
as a system architect
I want all apps to make use of bound HTTPS egress-proxy credentials
Acceptance Criteria
We use DRY behavior-driven development wherever possible.
Scenario:
Given I have configured the [
gsa-fac
|clamav
] app to use the proxy credentials provided in theegress-creds
UPSIwhen the [
gsa-fac
|clamav
] app makes an outbound connection...
then...
Shepherd
Background
We deployed an egress proxy service in #1015. This issue is about ensuring the apps pay attention to the proxy settings.
Security Considerations
Required per CM-4.
This change will cause apps to funnel all outbound requests through a controlled interface, which meets the intent of NIST control SC-7. A further change to block all outbound requests that are not going through the proxy, at the space level, is out of scope but coming as soon as we can also proxy SMTP requests.
Process checklist
Sketch
Definition of Done
Triage
If not likely to be important in the next quarter...
Otherwise...
Design Backlog
Design In Progress
Design Review Needed
Design Done
If no engineering is necessary
Engineering Backlog
Engineering Available
In Progress
columnEngineering In Progress
If there's UI...
Engineering Blocked
Engineering Review Needed
Engineering Done
The text was updated successfully, but these errors were encountered: