To enable developers to effectively access GitHub, while still having controls to restrict/control access to upload data, Zscaler proposes that the agency leverage the Zscaler Internet Access (ZIA) platform for their development teams to provide more effective filtering and protection for GitHub, as well as other business applications and services.
Developers will install Zscaler Client Connector on their Windows or Mac workstations and authenticate themselves against a SAML service. Once authenticated, traffic from the workstation will be sent to the ZIA cloud proxy service where policy will govern how users can interact with Internet and cloud applications.
With ZIA, you will see three test cases and corresponding user and groups which can help to achieve different access scenarios and protection mechanisms targeting GitHub, as detailed in the table below:
Test Cases | User | Member of Group | Description |
Block GitHub | User1 | None | GitHub.com is completely blocked from access |
Read-Only GitHub | User2 | GitHub-ReadOnly-Uses | GitHub.com is accessible as read-only where users can access and navigate the site but cannot upload any files or content. |
Unrestricted GitHub | User3 | GitHub-Unrestricted-Users | Access to GitHub is unrestricted and users can upload and download any files or content. |
GitHub Setup
GitHub has two service endpoints for communication with the cloud Git library as detailed in the table below:
Service Endpoint Name | Connection String | Description |
GitHub Web | Used by browsers for accessing GitHub as well as GitHub client applications like git and GitHub desktop. | |
GitHub SSH | ssh user@GitHub.com | Used by client applications only such as git and GitHub desktop. |
Zscaler Setup
You can configure the following Zscaler configurations to implement the desired solution functionality:
URL Filtering Rules
Rule #
Rule Name
Groups
Request Methods
URL Categories
Protocols
Action
Description
1
Read-Only GitHub
GitHub-ReadOnly-Users
ALL
GitHub.com Upload Service URLs
HTTP PUT
Deny
This rule enables read-only (no-upload) for users that are a member of the GitHub-ReadOnly-Users group.
2
Allow GitHub
GitHub-Unrestricted-Users; GitHub-ReadOnly-Users
ALL
GitHub.com Public Services
ALL
Allow
This rule enables users who are a member of the GitHub-Unrestrited-Users group to have full unrestricted access to GitHub. Users who are a member of the GitHub-ReadOnly-Users group will be able read GitHub, but will be blocked from uploading because of rule #1.
3
Block GitHub
N/A
ALL
GitHub.com Public Services
ALL
Deny
This rule blocks GitHub access for any remaining users that did not match the Unrestricted or Read-Only access conditions.
Custom URL Categories
Category Name
URLs
Keywords
Description
GitHub.com Public Services
GitHub
Contains the service URL’s to categorize GitHub as an application as well as block signing up for GitHub
GitHub.com Upload Service URLs
/commit_comment/
/create
/delete
/file-edit
/issue
/join
/new
/projects
/repositories
/tree-save
/upload/
/wiki
git-receive-pack
Contains any URL’s or keywords that match to GitHub’s upload service endpoints.
git-receive-pack - github desktop - block push
commit_comment – block commenting or editing a comment
create – block creating
delete – block deleting a file
file-edit – block editing a file or commenting on it
issue – block posting a new issue or editing an issue
join – block creating an account
new – block a new file
projects – block creating a new project
repositories – block
/tree-save – block a commit action
upload – block uploading a file
wiki - block new and comments on wiki
git-receive-pack – block desktop client from writing files
Cloud Firewall
Z-Tunnel 2.0 is required to make use of the full functions of Cloud Firewall.
Name
Destination IP Categories
Network Services
Action
Description
Block Access to GitHub over SSH
GitHub.com Public Services
SSH
Block/Drop
Disable access to the GitHub SSH service endpoint which can allow upload of files, forcing all GitHub traffic to be routed over the web service endpoint.
