Accessing SUSE Customer Center and SUSE registry behind a firewall and/or through a proxy

This document (000021034) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server

Situation

Network traffic is restricted by Firewall and/or Proxy.
These rules prevent access to SUSE Customer Center/SCC (for registration or access via browser) or SUSE registry - registry.suse.com - (to download container images).

Resolution

* The firewall needs to allow connections to the following domains (for both ports: 80 and 443):
system registrationscc.suse.com:<port>, updates.suse.com:<port>
website accessscc.suse.com:<port>, customer-uploads.suse.com:<port>, static.scc.suse.com:<port>
container image downloadsregistry.suse.com:<port>, registry-storage.suse.com:<port>, registry.rancher.com:<port>


* If IP address whitelisting is needed, the current list of IPs for updates.suse.com is:

- CDN (updates.suse.com) 
North America - 93.184.215.211
Europe - 68.232.34.211
Asia - 192.229.145.211

The list for EC2, CloudFront and S3 can be obtained with 'curl' and filtered/processed with 'jq' as follows: - EC2 (scc.suse.com, registry.suse.com) 
# curl https://ip-ranges.amazonaws.com/ip-ranges.json -o ip-ranges.json
# jq -r '.prefixes[] | select(.region=="eu-central-1") | select(.service=="EC2") | .ip_prefix' < ip-ranges.json | sort

- CloudFront (customer-uploads.suse.com, registry-storage.suse.com) 
# curl https://ip-ranges.amazonaws.com/ip-ranges.json -o ip-ranges.json
# jq -r '.prefixes[] | select(.service=="CLOUDFRONT") | .ip_prefix' < ip-ranges.json | sort

- S3 (static.scc.suse.com) 
# curl https://ip-ranges.amazonaws.com/ip-ranges.json -o ip-ranges.json
# jq -r '.prefixes[] | select(.region=="eu-central-1") | select(.service=="S3") | .ip_prefix' < ip-ranges.json | sort

For reference, AWS (Amazon Web Services) publishes its current IP address ranges in JSON format. To view the current ranges, download the .json file at: AWS IP address ranges



* A Proxy needs to allow for the "Authorization" and "System-Token" headers to be passed to the SUSE Customer Center.
Whether a proxy is filtering these headers can be checked with: 
# curl -X POST -H "Authorization: Basic dXNlcjpwYXNzd29yZA==" -H "System-Token: testtoken" https://scc.suse.com/debug/reflect
The output of the command should contain the values for HTTP_AUTHORIZATION and HTTP_SYSTEM_TOKEN that were provided in the command.


* Verify the proxy doesn't break the certification or a certificate wasn't installed correctly 
# openssl s_client -connect scc.suse.com:443 -showcerts -servername scc.suse.com
This should return "CONNECTED" and a successful SSL handshake. If it doesn't, the SUSE Knowledge Base article "How to verify openssl certification chain" can be used to check and debug the certificate status.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021034
  • Creation Date: 11-Apr-2023
  • Modified Date:11-Apr-2023
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center
Report a Software Vulnerability Submit Tips, Tricks, and Tools Download Free Tools