39

I have a server, onto which I want to use Python, that is behind a company firewall. I do not want to mess with it and the only thing I can do is to make a firewall exception for specific URL/domains.

I also want to access packages located on PYPI, using pip or easy_install. Therefore, do you know which URL should I ask to be listed in the exception rules for the firewall, except *.pypi.python.org?

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
Marc-Olivier Titeux
  • 1,209
  • 3
  • 13
  • 24
  • 1
    What do you mean `except *.pypi.python.org`? That's the PyPI URL. – Katriel Jan 11 '13 at 11:22
  • 3
    @katrielalex: PyPI is the *metadata* index, and although most packages have been uploaded to PyPI as well, this is *optional*. Loads of other packages are served from their own domains. `pip` will look up the download location(s) and contact the correct location to get it. That can by *anywhere* on the internet. – Martijn Pieters Jan 11 '13 at 11:24
  • @MartijnPieters yes, I agree. I read the OP's statement `located on PYPI` as `hosted on PyPI`, because clearly there's no way to add a firewall rule "allow anything linked by PyPI". – Katriel Jan 11 '13 at 11:27
  • Alright, my bad. I wasn't aware the upload to PyPI is optional *only*, even though I have noticed that pip bounced on other servers for download... Thanks for clarification. – Marc-Olivier Titeux Jan 11 '13 at 12:20

2 Answers2

16

You need to open up your firewall to the download locations of any package you need to install, or connect to a proxy server that has been given access.

Note that the download location is not necessarily on PyPI. The Python package index is a metadata service, one that happens to also provide storage for the indexed packages. As such, not all packages indexed on PyPI are actually downloaded from PyPI, the download location could be anywhere on the internet.

I'd say you start with opening pypi.python.org, then as individual package installions fail, check their PyPI page and add the download location listed for those.

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
  • 1
    Thanks for this answer. Do you think a good alternative would be to do `export PIP_DOWNLOAD_CACHE=$HOME/.pip_download_cache`, create a virtual env on a machine that has access to the internet, do `pip install -r requirements.txt`, and copy this download cache to the isolated machine that have access to pypi (so that I can check that there are no newer versions if newer requirements.txt authorize newer package versions? – Marc-Olivier Titeux Jan 11 '13 at 12:15
  • 1
    @Marc-OlivierTiteux: That could work, yes. Another alternative would be to set up a [PyPI mirror](http://pypi.python.org/pypi/collective.eggproxy) (acts as a caching proxy for requested packages). – Martijn Pieters Jan 11 '13 at 12:42
  • I ended up using something like this: http://stackoverflow.com/a/12147405/493211 (made on a server that has access to the web) and then only the second line for when I am the isolated machine. Thanks! – Marc-Olivier Titeux Jan 23 '13 at 13:52
  • I have the same restriction. Is there a way to check the location of a package? – paolof89 Nov 28 '18 at 09:52
  • 4
    @paolof89: add the `-v` switch (can be added multiple times) to increase the verbosity of pip: `pip install -v ...` and look at what that tells you. It'll report all URLs it tries to connect to. – Martijn Pieters Nov 28 '18 at 10:52
16

I've solved it adding these domains to the firewall whitelist:

  • pypi.python.org
  • pypi.org
  • pythonhosted.org
devilcius
  • 1,764
  • 14
  • 18