Our company deploys embedded devices at customer sites that connect to the Internet through their internal networks. We use Hosted Mender to supply FOTA updates to these devices. The Mender client in our firmware is version 2.4.
One of our customers has a fairly strict network security policy requiring all HTTP requests to be proxied through an internal proxy server that they control. This customer wants to limit outbound HTTP traffic to the absolute minimum, hence I need some information about the URLs the Mender client uses with Hosted Mender.
When a Mender client fetches an update, this post establishes that the Hosted Mender server returns an artifact download URL that points directly to an Amazon AWS S3 address. This setup does not require HTTPS access on port 9000 because Hosted Mender does not use the minio storage proxy, unlike self-hosted Mender.
From watching Mender client logs on a test device, it seems to require HTTPS access to 2 hosts:
- Mender server (for update check and inventory update): https://hosted.mender.io
- Amazon AWS S3 (for artifact download): https://s3.amazonaws.com
I successfully demonstrated inventory check-in and a FOTA update by proxying the HTTPS connections through a Squid proxy server. Using guidance from this thread, I setup a
systemd drop-in file for the mender-client service (I hid the Squid proxy server address in the blurb below):
cat /etc/systemd/system/mender-client.service.d/10-http-proxy.conf [Service] Environment="HTTPS_PROXY=http://<squid_proxy_server_ip>:3128" PassEnvironment=HTTPS_PROXY
Although this sufficed for my test using a proxy server I control, I need more information about Hosted Mender URLs because the customer wants to further narrow them if possible. I came across this tutorial that mentioned a more specific path for the Amazon AWS S3 bucket address. So the most specific URL information I have at this point is the following:
Does this list cover all the URLs I need to watch out for? Will either of the above URLs be redirected somewhere else? Does the multi-tenant platform allow for paths such as