5.2.1. Whitelisting#
Available since version 3.9.0
Vantage6 algorithms are normally disconnected from the internet, and are therefore unable to connect to access data that is not connected to the node on node startup. Via this feature it is possible to whitelist certain domains, ips and ports to allow the algorithm to connect to these resources. It is important to note that only the http protocol is supported. If you require a different protocol, please look at SSH Tunnel.
Warning
As a node owner you are responsible for the security of your node. Make sure you understand the implications of whitelisting before enabling this feature.
Be aware that when a port is whitelisted it is whitelisted for all domains and ips.
Setting up whitelisting#
Add block whitelist
to the node configuration file:
whitelist:
domains:
- .google.com
- github.com
- host.docker.internal # docker host ip (windows/mac)
ips:
- 172.17.0.1 # docker bridge ip (linux)
- 8.8.8.8
ports:
- 443
Note
This feature makes use of Squid, which is a proxy server. For every domain, ip and port a acl directive is created. See their documentation for more details on what valid values are.
Implementation details / Notes#
The algorithm container is provided with the environment variables
http_proxy
, HTTP_PROXY
, https_proxy
, HTTPS_PROXY
, no_proxy
and NO_PROXY
. Unfortunately, there is no standard for handling these
variables. Therefore, whether this works will depend on the application you
are using. See this
post for more details.
In case the algorithm tries to connect to a domain that is not whitelisted, a http 403 error will be returned by the squid instance.
Warning
Make sure the requests from the algorithm are using the environment variables. Some libraries will ignore these variables and use their own configuration.
The
requests
library will work for all cases.The
curl
command will not work for vantage6 VPN addresses as the format ofno_proxy
variable is not supported. You can fix this by using the--noproxy
option when requesting a VPN address.
Note
VPN addresses in no_proxy
have the same format as in the node
configuration file, by default 10.76.0.0/16
. Make sure the request
library understands this format when connecting to a VPN address.