Connect a Git Repository Protected by a Firewall (On Premise)

Updated 2 weeks ago by Copado Solutions

Copado can successfully connect to a Git repository hosted in your own servers (on premise) even if it is protected by a firewall.

The firewall acts as a protection layer between the server where the Git repository is hosted and the rest of the internet (the outside world).

In order for the Copado backend to connect to the Git repository, there are specific requirements that need to be met:

  1. The Git repository must be accessible through an HTTPS URL.
  2. The firewall must accept incoming requests from Copado to access the Git repository using the HTTPS URL.
SSH connection to a server with IP restrictions (firewall) is not possible. 

HTTPS URL

The Git Repository must have a secure URL so that it is accessible over the internet. When setting up Git:

  1. Initialize a Git server so that the Git repositories created on this server are accessible via HTTP.
  2. Configure an SSL certificate on the server so that the transfer of the repository data is encrypted.
    1. The SSL certificate cannot be self-signed, it must be issued by a trusted SSL certificate authority.

Once the SSL certificate is configured, the Git repository's URL can be accessed through a secure HTTPS URL (e.g. https://...). This way, Copado ensures that all information is encrypted when transferred.

Firewall Configuration

When Copado tries to access the Git repository's HTTPS URL, the connection will fail because there is a firewall that restricts Copado from accessing the Git repository.

Your IT/Security team must configure the firewall so that it accepts incoming requests from the Copado backend. This team must:

  1. Enable (whitelist) the requests coming from the Copado backend IP addresses.
  2. Open port 443 for the Copado IP addresses.
  3. Allow the Git repository's HTTPS URL to be accessed by the Copado IP addresses.

Troubleshooting

If after configuring the SSL and whitelisting the Copado IP addresses, Copado still cannot connect to your Git repository, you can download this jar file in a computer* and execute it on the command line to see if there are any HTTPS connection errors, as follows:

java -jar testHTTPS.jar https://github.mycompany.com.

You will need to replace 'https://github.mycompany.com' with your server URL (make sure it's an HTTPS URL).

If you see a messages 'OK. SSL certificate is trusted.', then you are good. Otherwise, follow the recommendations provided by the program.

If the certificate is not properly installed, or java doesn't trust it, you will get an error message like the one below:

Exception in thread "main" javax.net.ssl.SSLException: ......

If this is the case, troubleshoot the error until the connection is successful**.

*Make sure that the machine where the program is running doesn't have any custom certificates installed.

**Copado does not provide support for SSL certificate installation/configuration or whitelisting of IP addresses in your network.

Alternative Options

  • If your Git repositories on premise are strictly unaccessible, you can use Layer 7 API Management in your network to safely route and control the Copado connection to the specific Git repository containing your Salesforce metadata. Click here for more information.
  • Use a proxy agent to connect to the Git repository. Contact your sales executive or customer success manager for more information about this option.


How did we do?