2

I want to use GitHub clients from user accounts on a server where they are not supposed to be able to go online otherwise. The GitHub Windows app does not even install without users' downloading it themselves (see my previous question on SuperUser), but also for my regular use, I need to know the bare minimum one needs to open up.

By opening up I mean user account privileges (under Windows Server 2012 specifically) or firewall rules.

Over on SuperUser, I received advice that port 9418 is the key. Does it mean that all I need to worry about is to have that open?

(I know I could also just try this out, but I would rather propose only one change to administrators, and not go back for seconds.)

And is there an easy solution for the app install problem, or I should just temporarily let users download and install things, and lock things down afterwards?

Thanks!

Community
  • 1
  • 1
László
  • 3,914
  • 8
  • 34
  • 49

2 Answers2

2

No, even though there is 9418 port opened on the GitHub side (see "Trying to load files from github through a firewall is impossibly slow").
But the Git protocol is read-only (for Github), and quite slow.

The bare minimum would be using https url for the GitHub repo.
That means nothing would have to be opened in the firewall.

If you are talking about Git (not GitHub) on a private server, then yes, you could open that port, but it isn't the fastest protocol, and it has no authentication.
It would be faster to setup though, since using https url with a private server means having a web listener (Apache or, for Windows, IIS) listening to your queries.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thanks, and sorry if I am not following whether I am a private server or not. The accounts on this server would use GitHub (the app, but also the site/service) to synchronize code as GitHub clients (e.g. me on my personal mac). What is the difference you have in mind? – László Jan 20 '14 at 12:01
  • @László do you mean "GitHub for Windows" or "GitHub for Mac", or are you talking about "GitHub for Enterprise"? Do you have an url which details that "GitHub the app" you mention? – VonC Jan 20 '14 at 12:01
  • I thought using the app from http://windows.github.com/ is the easiest. Users logged into the server (RDP) would use this to manage their personal copies on the server, but all of us would have personal copies on our personal computers as well. Does it make sense? – László Jan 20 '14 at 12:07
  • @László "github for windows" is a client, not a server. It doesn't listen to any Git command. – VonC Jan 20 '14 at 12:08
  • I am not sure where I implied otherwise. (I am happy to edit the question!) What does a client need to function? – László Jan 20 '14 at 12:09
  • @László "all of us would have personal copies on our personal computers as well": if those users have access to the server as a shared path, then can clone/push/pull the repo they see (through said shared path) from the server to their workstation. No port involved. Truly bare minimal setup (the "local" protocol). – VonC Jan 20 '14 at 12:09
  • @László What does a client need to function? Just a way to access a remote repo, be it through a serer (which listen) or a simpled shared path. – VonC Jan 20 '14 at 12:10
  • Please help me edit the question, then. I already made quick edits. Users running the GH clients are supposed to have locked-down accounts with very limited network access. I am looking for the right way to define this network access the user accounts need for the GH client app to function. – László Jan 20 '14 at 12:12
  • @László you mean they don't have access to the remote repo on your server through a shared UNC path? If they don't, you need to put in place a listener. A git daemon (working with 9418 port) is possible, but not the most efficient one. I prefer a web server. – VonC Jan 20 '14 at 12:16
  • Thanks, and sorry for being so lost here. I think we are fine with the repo being on GitHub.com servers, we don't need to run our own server. However, just to make the GitHub client (app) talk to GitHub servers, I cannot allow the user accounts go full-blown online. I am looking for the middle way. – László Jan 20 '14 at 12:20
  • By the way, if something you propose is to have a repo on the server that users access locally but is still in sync with github.com and thus our personal computers, maybe this is what I need. I just don't see how. – László Jan 20 '14 at 12:22
  • @László ok, so GitHub is back in the picture! Then you don't have anything to do on your personal computer: a "GitHub for Windows" will allow you to clone any GitHub repo. Simply follow https://help.github.com/articles/set-up-git, using the "Download GitHub for Windows" green button. After that, you need to decide which repo will have the right to push the the GitHub one: your central server, or the local repos on your user's corporate workstation (which have limited network capacities, and can only clone from your corporate server)? – VonC Jan 20 '14 at 12:26
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/45648/discussion-between-laszlo-and-vonc) – László Jan 20 '14 at 14:06
0

(From my own answer to the SuperUser thread:) An official GitHub help page might have the answer:

Current IP Addresses

We currently serve our applications via the following IP address range. Note: This is in CIDR notation.

192.30.252.0/22

In order to access all of our services, please ensure that TCP ports 22, 80, 443, and 9418 are allowed via the IP range above.

These IPs may change (or be added to) in the future, and we will keep this page up to date.

Service Hook IP Addresses

We highly recommend that you don't white list IPs for Service Hooks. Instead, setup HTTPS and basic authentication to verify incoming requests.

Sample IPs from RequestBin

Hooks will come from the following IP address range. Note: This is in CIDR notation.

192.30.252.0/22

There is an API endpoint to access these IPs programmatically. Subscribe to the API Changes blog to stay current.

Upcoming IP Addresses

We also own the following block of IP addresses which will be used in the future. This page will be updated once they are in active use.

2620:112:3000::/44

Community
  • 1
  • 1
László
  • 3,914
  • 8
  • 34
  • 49