5.2.1. Whitelisting#

Available since version 3.9.0

Vantage6 algorithms are normally disconnected from the internet, and are therefore unable to connect to access data that is not connected to the node on node startup. Via this feature it is possible to whitelist certain domains, ips and ports to allow the algorithm to connect to these resources. It is important to note that only the http protocol is supported. If you require a different protocol, please look at SSH Tunnel.

Warning

As a node owner you are responsible for the security of your node. Make sure you understand the implications of whitelisting before enabling this feature.

Be aware that when a port is whitelisted it is whitelisted for all domains and ips.

Setting up whitelisting#

Add block whitelist to the node configuration file:

whitelist:
    domains:
        - .google.com
        - github.com
        - host.docker.internal # docker host ip (windows/mac)
    ips:
        - 172.17.0.1 # docker bridge ip (linux)
        - 8.8.8.8
    ports:
        - 443

Note

This feature makes use of Squid, which is a proxy server. For every domain, ip and port a acl directive is created. See their documentation for more details on what valid values are.

Implementation details / Notes#

The algorithm container is provided with the environment variables http_proxy, HTTP_PROXY, https_proxy, HTTPS_PROXY, no_proxy and NO_PROXY. Unfortunately, there is no standard for handling these variables. Therefore, whether this works will depend on the application you are using. See this post for more details.

In case the algorithm tries to connect to a domain that is not whitelisted, a http 403 error will be returned by the squid instance.

Warning

Make sure the requests from the algorithm are using the environment variables. Some libraries will ignore these variables and use their own configuration.

  • The requests library will work for all cases.

  • The curl command will not work for vantage6 VPN addresses as the format of no_proxy variable is not supported. You can fix this by using the --noproxy option when requesting a VPN address.

Note

VPN addresses in no_proxy have the same format as in the node configuration file, by default 10.76.0.0/16. Make sure the request library understands this format when connecting to a VPN address.