artin/sourcegraph
1
0
Fork 0
mirror of https://github.com/sourcegraph/sourcegraph.git synced 2026-02-06 17:31:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: update src connect security faq (#59654)

Browse Source 
* docs: update src connect security faq

* Update private_connectivity_sourcegraph_connect.md
This commit is contained in:
Michael Lin 2024-01-16 19:37:41 -08:00 committed by GitHub
parent fae3000fb9
commit f02c700a67
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/cloud/private_connectivity_sourcegraph_connect.md
View File

@ -37,7 +37,11 @@ Finally, Sourcegraph will provide the following:
### Create the connection
Customer can follow the provided instruction and install the tunnel agent in the private network.
Customer can follow the provided instruction and install the tunnel agent in the private network. At a high level:
- Permit egress to the internet to a set of static IP addresses and corresponding ports to be provided by Sourcegraph.
- Permit egress to the private resources at the given port.
- Run the tunnel agent binary with provided config files and credentials.
### Create the code host connection
@ -94,6 +98,14 @@ In the event of an attacker gaining access to the sourcegraph containers, we con
Please reach out to us if you have any specific questions regarding our Cloud security posture, and we are happy to provide more detail to address your concerns.
### How to harden the tunnel agent deployment?
We recommend using an allowlist to limit the egress traffic of the agent to IP addresses provided by Sourcegraph and specific private resources you would like to permit access. This will prevent the agent to talk to arbitrary services, and reduce the blast radius in the event of a security event.
### How can I audit the data Sourcegraph has access to in my environment?
The tunnel is secured and authenticated by mTLS over gRPC, and everything is encrypted over transit. If customer is looking to perform audit, such as, TLS inspection, on the connection between the private resources and Sourcegraph Cloud. We recommend to only intercept and inspect traffic between the tunnel agent and private resources. The connection between the tunnel agent and Sourcegraph Cloud is using a custom protocol, and the decrypted payload has very little value.
### Can I use self-signed TLS certificate for my private resources?
Yes. Please work with your account team to add the certificate chain of your internal CA to [site configuration](https://docs.sourcegraph.com/admin/config/site_config#experimentalFeatures) at `experimentalFeatures.tls.external.certificates`