Our school and county just recently upped their Wi-Fi sever security. The main sites blocked are GitHub and a lot of websites that allow cad files and pdfs to be downloaded. In years past I had to reach out to the it department to unblock twitch so we could view kickoff. I’ve reached out to the county IT department again and was told their blocked due to negative materials that can be downloaded on the county server.
Our school is a huge brick concrete structure that barely allows cell phone reception so a Mobil hotspot is out of the question. What are the alternatives to using GitHub to share real-time data with our programmers? Is there any other sites that may be accessible.
So, if it were me, I’d contact GitHub (Microsoft really) and ask for their educational group to have a chat with your county IT folks. This is bad for them too and I suspect they’ll know how to alleviate the concerns as they likely deal with other schools on this.
21 Likes
There are many, many GitHub alternatives out there. If you cannot get GitHub unblocked, you can try out GitLab or Bitbucket. If for some reason those are blocked too, you can run your own GitLab instance or a Gitea instance. The experience locally will be almost identical. The only differences you might notice are with the web interface of whatever git server software you use.
There are also other version control softwares out there, but git is the most familiar and most used.
Also worth mentioning that if you still want your code to be on GitHub, you can push to your (for instance) GitLab repository while on school WiFi, then push to the GitHub repository while on other WiFi. Git is decentralized, so that’s one of its advantages.
8 Likes
We are having the same problem at our school, yes we could use GitLab for our code and all but the main problem with having GitHub blocked is WPILib and other software resources that are used for First are mostly on GitHub so it makes it hard to download updates or firmware for the driver station and robot components.
Last year I set up an OpenVPN server and that worked for about half the year until they changed something and it quit allowing the connection. Most VPNs also have the same issue of not connecting I have yet to figure out the cause of this.
2 Likes
The other issues is that some school’s will block SSH in general… my old high school does this and does Deep Packet Inspection
1 Like
Can Nginx do TCP load balance with SSL termination? - Stack Overflow might help you disguise your connection better. My understanding is that OpenVPN does not use a “standard” TLS handshake which may be detectable [1].
4 Likes
I know of schools blocking things like P2P, but this reaches pretty far. Either way, GitHub still allows HTTPS authentication using some sort of token thing, but I usually prefer SSH keys anyway, so that would definitely be inconvenient for myself and others that are used to using SSH authentication.
Vendors are generally aware of this “loophole” and can optionally block it.
Copy options to try:
-
Use an offsite machine to do these ‘reference checking’ - you can do either Google’s Browser Remote Desktop client, use Teamviewer (no longer recommended for free license - too many false identification), DWServices.net, etc. [These does not requires any Firewall/VPN configuration/settings so will have less likely issues with your school’s IT].
-
Similar to #1 but without risk of opening up your own machine at home → If you are a non-profit, you can apply for MS’s Non-Profit and can up MS Office 365 licenses for free, with this comes a ~$3k Azure credit that you can setup a remote desktop(s) and can use these for ‘checking on Githubs’ (at least for documentation in that regard).
- (follow on) - You can also setup a proxy using these Azure credits too and potentially hook into Github. [I’ve never done this myself but it should be a possibility].
- AWS has something similar as well.
Is it an SSL thing? I’m not an IT person but as I understand our system doesn’t block github.com but wants its own certificate for any https site. We download the local certificate (I know how to do it in Firefox) and load that as a root trusted cert either just in Firefox for browsing or in the system so Chrome and some other things work as well.
We’ve had to request sites be whitelisted and it’s taken some time but we’ve had success with that. The workarounds are not better for security but sometimes they don’t see it that way.
I am struggling to see how that cert scheme would improve security.
Are they employing some man-in-middle SSL proxy?
Yes that’s typically the approach. Many workplaces install their own root certs onto work computers so their edge proxies/firewalls can MITM SSL connections for deep inspection/filtering. Broader usage of this is an unfortunate consequence of the “https everywhere” campaigns and in many ways makes things less secure (how secure is the installed root cert compared to public CAs?).
SSH is often blocked (except for specific whitelisted things) for similar reasons.
Yes, but then having a system to allow individual browsers to add each cert is bad practice. Should have a corp CA that gets installed into each PC.
Encrypt everywhere is generally a good practice. If you add a CA that’s a corp CA that’s fine. Your traffic and communication on a corp device is not your own.
In this case I’m assuming it’s a personal/team owned computer, not an IT-managed one.
Sounds like they need to configure git to use the SSL cert.
The original poster didn’t say if they were windows or Linux.
1 Like
Windows
Team owned but using the school / county Wi-Fi.
1 Like
You could also try a VPN. There are lots to try, or you can run your own on a external machine (eg a $5/month Linode). But given their strictness, it would not surprise me it they block that.
Also, don’t forget that you only need Internet access for the Git push/pull operations. You can check in locally to your heart’s content, using a laptop or even a USB stick and then do the push outside the building.
Are you referring to MITM TLS decryption? I’m not sure how else you would conditionally block a standard-looking TLS session terminated by nginx. In that case all bets are off.
Let’s say you have some sort of transparent proxy setup to allow for inspection.
As an IT admin you really don’t want users having to do any manual steps to access sites.
You probably don’t even want them aware of it.
So most organizations that run this kind of stuff use their own internal certificate authority and have it pre-installed.