AZ Asia-Pacific - Zscaler Help Centre
All Categories Zscaler Internet Access Filtering GitHub Upload with ZIA

Filtering GitHub Upload with ZIA

To enable developers to effectively access GitHub, while still having controls to restrict/control access to upload data, Zscaler proposes that the agency leverage the Zscaler Internet Access (ZIA) platform for their development teams to provide more effective filtering and protection for GitHub, as well as other business applications and services.

Developers will install Zscaler Client Connector on their Windows or Mac workstations and authenticate themselves against a SAML service. Once authenticated, traffic from the workstation will be sent to the ZIA cloud proxy service where policy will govern how users can interact with Internet and cloud applications.

With ZIA, you will see three test cases and corresponding user and groups which can help to achieve different access scenarios and protection mechanisms targeting GitHub, as detailed in the table below:

Test Cases

User

Member of Group

Description

Block GitHub

User1

None

GitHub.com is completely blocked from access

Read-Only GitHub

User2

GitHub-ReadOnly-Uses

GitHub.com is accessible as read-only where users can access and navigate the site but cannot upload any files or content.

Unrestricted GitHub

User3

GitHub-Unrestricted-Users

Access to GitHub is unrestricted and users can upload and download any files or content.

GitHub Setup

GitHub has two service endpoints for communication with the cloud Git library as detailed in the table below:

Service Endpoint Name

Connection String

Description

GitHub Web

https://GitHub.com

Used by browsers for accessing GitHub as well as GitHub client applications like git and GitHub desktop.

GitHub SSH

ssh user@GitHub.com

Used by client applications only such as git and GitHub desktop.

Zscaler Setup

You can configure the following Zscaler configurations to implement the desired solution functionality:

  1. URL Filtering Rules

    Rule #

    Rule Name

    Groups

    Request Methods

    URL Categories

    Protocols

    Action

    Description

    1

    Read-Only GitHub

    GitHub-ReadOnly-Users

    ALL

    GitHub.com Upload Service URLs

    HTTP PUT

    Deny

    This rule enables read-only (no-upload) for users that are a member of the GitHub-ReadOnly-Users group.

    2

    Allow GitHub

    GitHub-Unrestricted-Users; GitHub-ReadOnly-Users

    ALL

    GitHub.com Public Services

    ALL

    Allow

    This rule enables users who are a member of the GitHub-Unrestrited-Users group to have full unrestricted access to GitHub. Users who are a member of the GitHub-ReadOnly-Users group will be able read GitHub, but will be blocked from uploading because of rule #1.

    3

    Block GitHub

    N/A

    ALL

    GitHub.com Public Services

    ALL

    Deny

    This rule blocks GitHub access for any remaining users that did not match the Unrestricted or Read-Only access conditions.

  2. Custom URL Categories

    Category Name

    URLs

    Keywords

    Description

    GitHub.com Public Services

    GitHub.com/upload

    codelab.GitHub.com

    GitHub.com

    GitHub

    Contains the service URL’s to categorize GitHub as an application as well as block signing up for GitHub

    GitHub.com Upload Service URLs

    codelab.GitHub.com

    GitHub.com/upload

    /commit_comment/

    /create

    /delete

    /file-edit

    /issue

    /join

    /new

    /projects

    /repositories

    /tree-save

    /upload/

    /wiki

    git-receive-pack

    Contains any URL’s or keywords that match to GitHub’s upload service endpoints.

    git-receive-pack - github desktop - block push

    commit_comment – block commenting or editing a comment

    create – block creating

    delete – block deleting a file

    file-edit – block editing a file or commenting on it

    issue – block posting a new issue or editing an issue

    join – block creating an account

    new – block a new file

    projects – block creating a new project

    repositories – block

    /tree-save – block a commit action

    upload – block uploading a file

    wiki - block new and comments on wiki

    git-receive-pack – block desktop client from writing files

  3. Cloud Firewall

    Z-Tunnel 2.0 is required to make use of the full functions of Cloud Firewall.

    Name

    Destination IP Categories

    Network Services

    Action

    Description

    Block Access to GitHub over SSH

    GitHub.com Public Services

    SSH

    Block/Drop

    Disable access to the GitHub SSH service endpoint which can allow upload of files, forcing all GitHub traffic to be routed over the web service endpoint.