Incomplete documentation of CrowdSec outbound domains (egress traffic)
The official CrowdSec documentation about network management lists the domains used by CrowdSec components for outbound HTTPS connections.
However, when running CrowdSec in an environment with a default-deny outbound policy, additional domains are required in practice.
Missing / inconsistent domains
hub-data.crowdsec.net → CNAME to *.cloudfront.netcdn-hub.crowdsec.net (instead of hub-cdn.crowdsec.net in the docs) → CNAME to *.cloudfront.netwww.cloudflare.com (used indirectly when retrieving some assets)
Packagecloud specific
The documentation only mentions packagecloud.io, but in practice CloudFront is also required:
Expected behavior
The list of outbound domains in the official documentation should be complete and accurate, so that administrators operating under a default-deny outbound policy can correctly whitelist the required domains/IPs.
Suggested fix
- Add
hub-data.crowdsec.net
- Clarify
hub-cdn.crowdsec.net vs. cdn-hub.crowdsec.net
- Mention the dependency on CloudFront (AWS) and Cloudflare where applicable
- Add
d3fo0g5hm7lbuv.cloudfront.net as required for packagecloud.io (see packagecloud.io security documentation)
Incomplete documentation of CrowdSec outbound domains (egress traffic)
The official CrowdSec documentation about network management lists the domains used by CrowdSec components for outbound HTTPS connections.
However, when running CrowdSec in an environment with a default-deny outbound policy, additional domains are required in practice.
Missing / inconsistent domains
hub-data.crowdsec.net→ CNAME to*.cloudfront.netcdn-hub.crowdsec.net(instead ofhub-cdn.crowdsec.netin the docs) → CNAME to*.cloudfront.netwww.cloudflare.com(used indirectly when retrieving some assets)Packagecloud specific
The documentation only mentions
packagecloud.io, but in practice CloudFront is also required:d3fo0g5hm7lbuv.cloudfront.net→ documented by packagecloud.ioExpected behavior
The list of outbound domains in the official documentation should be complete and accurate, so that administrators operating under a default-deny outbound policy can correctly whitelist the required domains/IPs.
Suggested fix
hub-data.crowdsec.nethub-cdn.crowdsec.netvs.cdn-hub.crowdsec.netd3fo0g5hm7lbuv.cloudfront.netas required for packagecloud.io (see packagecloud.io security documentation)