3

We have a Git repo sitting behind a firewall. As I see it, there are two ways of authenticating/accessing the Git repo:

  1. Add a Reverse HTTP Proxy in the DMZ that communicates with the Git repo. This will allow the user to access Git over HTTPS.
  2. Poke a hole in the firewall to allow traffic to the Git repo on SSH. This will allow the user to access Git over SSH.

We have another policy that requires use of cert/keys based authentication instead of a static user/password. So this rules out Option #1. But we are not comfortable with poking a hole in the Firewall.

What options do we have? Is there a Reverse HTTP Proxy like solution for SSH as well?

slm
  • 245
  • 5
  • 15
Saqib Ali
  • 213
  • 1
  • 8

1 Answers1

1

If you're thinking of SSH certs does this mean these are internal users who can be forced to use additional security measures? Examples:

  • VPN

  • SSH Jump server - users connect here first and then use port forwarding to access your git host(s). You could insist on two separate sets of credentials too.

Richard N
  • 141
  • 3
  • Does GIT work over SSH Jump server? – Saqib Ali Feb 06 '19 at 00:13
  • Not tried git specifically (yet), but if it goes over SSH it should work - might need to set it to localhost:tunnel-port and/or adjust hosts file. I frequently tunnel multiple applications over SSH (including tunnels in tunnels) and it works really well, although if apps use specific ports you can't run 2 instances to 2 different hosts at the same time. – Richard N Feb 06 '19 at 00:45
  • 2
    Git will use your .ssh/config file. If you configure your ssh jumps from the config file, it'll use those jump servers transparently. – Lie Ryan Feb 06 '19 at 02:33