Accessing SUSE Customer Center and SUSE registry behind a firewall and/or through a proxy
This document (000021034) is provided subject to the disclaimer at the end of this document.
Environment
Situation
These rules prevent access to SUSE Customer Center/SCC (for registration or access via browser) or SUSE registry - registry.suse.com - (to download container images).
Resolution
Domain/Host Name Allowlisting
* The firewall needs to allow connections to the following domains (for both ports: 80 and 443):
|
system registration |
scc.suse.com:<port>, updates.suse.com:<port>, installer-updates.suse.com:<port> |
|
website access |
scc.suse.com:<port>, customer-uploads.suse.com:<port>, static.scc.suse.com:<port> |
|
container image downloads |
scc.suse.com:<port>, registry.suse.com:<port>, registry-storage.suse.com:<port>, registry.rancher.com:<port> |
IP Address Allowlisting
* If IP address whitelisting is needed, the current list of IPs for updates.suse.com is:
- CDN (updates.suse.com)
|
North America |
152.199.5.130 |
|
Europe |
152.199.22.115 |
|
Asia |
152.199.40.103 |
|
Mainland China |
154.55.117.6, 154.55.117.8 |
* The current list of IPs for scc.suse.com and registry.suse.com are:
|
99.83.188.102 |
|
75.2.43.231 |
* Static assets and support case attachments are served via AWS CloudFront.
CloudFront IP addresses may change over time.
The current list of possible IP addresses can be obtained as follows:
- CloudFront (customer-uploads.suse.com, registry-storage.suse.com, static.scc.suse.com)
# curl https://ip-ranges.amazonaws.com/ip-ranges.json -o ip-ranges.json # jq -r '.prefixes[] | select(.service=="CLOUDFRONT") | .ip_prefix' < ip-ranges.json | sort
For reference, AWS (Amazon Web Services) publishes its current IP address ranges in JSON format. To view the current ranges, download the .json file at: AWS IP address ranges (https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html)
Proxy Setup
* A Proxy needs to allow for the "Authorization" and "System-Token" headers to be passed to the SUSE Customer Center.
Whether a proxy is filtering these headers can be checked with:
# curl -X POST -H "Authorization: Basic dXNlcjpwYXNzd29yZA==" -H "System-Token: testtoken" https://scc.suse.com/debug/reflect
The output of the command should contain the values for HTTP_AUTHORIZATION and HTTP_SYSTEM_TOKEN that were provided in the command.
* Verify the proxy doesn't break the certification or a certificate wasn't installed correctly
# openssl s_client -connect scc.suse.com:443 -showcerts -servername scc.suse.com
This should return "CONNECTED" and a successful SSL handshake. If it doesn't, the SUSE Knowledge Base article "How to verify openssl certification chain" can be used to check and debug the certificate status.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021034
- Creation Date: 25-Apr-2024
- Modified Date:25-Apr-2024
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
