neil/cache
1
0
Fork 0
mirror of https://github.com/actions/cache.git synced 2026-01-30 16:04:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add explicit iptables rules to block blob storage IPs

Browse Source 
The previous firewall setup relied on a catch-all REJECT rule for blob
storage, but it wasn't blocking traffic. Now we explicitly resolve and
block the IPs for productionresultssa0-3.blob.core.windows.net using
iptables -I OUTPUT 1 to insert rules at the top of the chain.
This commit is contained in:
Bassem Dghaidi 2026-01-29 09:31:15 -08:00 committed by GitHub
parent e0d51ac399
commit 34472f2415
1 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
.github/workflows/workflow.yml vendored
View File

@ -169,10 +169,13 @@ jobs:
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done done
# Block productionresultssa*.blob.core.windows.net (cache blob storage) # Block blob.core.windows.net (Azure blob storage used for cache)
# We block ALL blob.core.windows.net traffic since we can't easily enumerate all storage accounts for host in productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net; do
# The proxy will handle these requests for ip in $(getent ahosts "$host" 2>/dev/null | awk '{print $1}' | sort -u); do
echo "Note: *.blob.core.windows.net traffic will be blocked and must go through proxy" echo "Blocking direct access to blob storage ($host): $ip"
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done
done
# Block all other outbound HTTP/HTTPS traffic # Block all other outbound HTTP/HTTPS traffic
iptables -A OUTPUT -p tcp --dport 80 -j REJECT iptables -A OUTPUT -p tcp --dport 80 -j REJECT
@ -326,10 +329,13 @@ jobs:
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done done
# Block productionresultssa*.blob.core.windows.net (cache blob storage) # Block blob.core.windows.net (Azure blob storage used for cache)
# We block ALL blob.core.windows.net traffic since we can't easily enumerate all storage accounts for host in productionresultssa0.blob.core.windows.net productionresultssa1.blob.core.windows.net productionresultssa2.blob.core.windows.net productionresultssa3.blob.core.windows.net; do
# The proxy will handle these requests for ip in $(getent ahosts "$host" 2>/dev/null | awk '{print $1}' | sort -u); do
echo "Note: *.blob.core.windows.net traffic will be blocked and must go through proxy" echo "Blocking direct access to blob storage ($host): $ip"
iptables -I OUTPUT 1 -d "$ip" -p tcp --dport 443 -j REJECT
done
done
# Block all other outbound HTTP/HTTPS traffic # Block all other outbound HTTP/HTTPS traffic
iptables -A OUTPUT -p tcp --dport 80 -j REJECT iptables -A OUTPUT -p tcp --dport 80 -j REJECT