Accessing SUSE Customer Center and SUSE registry behind a firewall and/or through a proxy
This document (000021034) is provided subject to the disclaimer at the end of this document.
Environment
Situation
These rules prevent access to SUSE Customer Center/SCC (for registration or access via browser) or SUSE registry - registry.suse.com - (to download container images).
Resolution
system registration | scc.suse.com:<port>, updates.suse.com:<port> |
website access | scc.suse.com:<port>, customer-uploads.suse.com:<port>, static.scc.suse.com:<port> |
container image downloads | scc.suse.com:<port>, registry.suse.com:<port>, registry-storage.suse.com:<port>, registry.rancher.com:<port> |
* If IP address whitelisting is needed, the current list of IPs for updates.suse.com is:
- CDN (updates.suse.com)
North America - 152.199.5.130 Europe - 152.199.22.115 Asia - 152.199.40.103
The list for EC2, CloudFront and S3 can be obtained with 'curl' and filtered/processed with 'jq' as follows:
- EC2 (scc.suse.com, registry.suse.com)
# curl https://ip-ranges.amazonaws.com/ip-ranges.json -o ip-ranges.json # jq -r '.prefixes[] | select(.region=="eu-central-1") | select(.service=="EC2") | .ip_prefix' < ip-ranges.json | sort
- CloudFront (customer-uploads.suse.com, registry-storage.suse.com)
# curl https://ip-ranges.amazonaws.com/ip-ranges.json -o ip-ranges.json # jq -r '.prefixes[] | select(.service=="CLOUDFRONT") | .ip_prefix' < ip-ranges.json | sort
- S3 (static.scc.suse.com)
# curl https://ip-ranges.amazonaws.com/ip-ranges.json -o ip-ranges.json # jq -r '.prefixes[] | select(.region=="eu-central-1") | select(.service=="S3") | .ip_prefix' < ip-ranges.json | sort
For reference, AWS (Amazon Web Services) publishes its current IP address ranges in JSON format. To view the current ranges, download the .json file at: AWS IP address ranges
* A Proxy needs to allow for the "Authorization" and "System-Token" headers to be passed to the SUSE Customer Center.
Whether a proxy is filtering these headers can be checked with:
# curl -X POST -H "Authorization: Basic dXNlcjpwYXNzd29yZA==" -H "System-Token: testtoken" https://scc.suse.com/debug/reflectThe output of the command should contain the values for HTTP_AUTHORIZATION and HTTP_SYSTEM_TOKEN that were provided in the command.
* Verify the proxy doesn't break the certification or a certificate wasn't installed correctly
# openssl s_client -connect scc.suse.com:443 -showcerts -servername scc.suse.comThis should return "CONNECTED" and a successful SSL handshake. If it doesn't, the SUSE Knowledge Base article "How to verify openssl certification chain" can be used to check and debug the certificate status.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021034
- Creation Date: 17-Aug-2023
- Modified Date:17-Aug-2023
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com