About subdomain isolation
Subdomain isolation mitigates cross-site scripting and other related vulnerabilities. For more information, see "Cross-site scripting" on Wikipedia. We highly recommend that you enable subdomain isolation on 你的 GitHub Enterprise Server 实例.
When subdomain isolation is enabled, GitHub Enterprise Server replaces several paths with subdomains. After enabling subdomain isolation, attempts to access the previous paths for some user-supplied content, such as http(s)://HOSTNAME/raw/, may return 404 errors.
| Path without subdomain isolation | Path with subdomain isolation |
|---|---|
http(s)://HOSTNAME/ | http(s)://docker.HOSTNAME/ |
http(s)://HOSTNAME/_registry/npm/ | https://npm.HOSTNAME/ |
http(s)://HOSTNAME/_registry/rubygems/ | https://rubygems.HOSTNAME/ |
http(s)://HOSTNAME/_registry/maven/ | https://maven.HOSTNAME/ |
http(s)://HOSTNAME/_registry/nuget/ | https://nuget.HOSTNAME/ |
http(s)://HOSTNAME/assets/ | http(s)://assets.HOSTNAME/ |
http(s)://HOSTNAME/avatars/ | http(s)://avatars.HOSTNAME/ |
http(s)://HOSTNAME/codeload/ | http(s)://codeload.HOSTNAME/ |
http(s)://HOSTNAME/gist/ | http(s)://gist.HOSTNAME/ |
http(s)://HOSTNAME/media/ | http(s)://media.HOSTNAME/ |
http(s)://HOSTNAME/notebooks/ | http(s)://notebooks.HOSTNAME/ |
http(s)://HOSTNAME/pages/ | http(s)://pages.HOSTNAME/ |
http(s)://HOSTNAME/raw/ | http(s)://raw.HOSTNAME/ |
http(s)://HOSTNAME/reply/ | http(s)://reply.HOSTNAME/ |
http(s)://HOSTNAME/uploads/ | http(s)://uploads.HOSTNAME/ |
http(s)://HOSTNAME/viewscreen/ | http(s)://viewscreen.HOSTNAME/ |
| Not supported | https://containers.HOSTNAME/ |
Prerequisites
警告:如果禁用子网分隔,建议同时在企业上禁用 GitHub Pages。 无法将用户提供的 GitHub Pages 内容与其余企业数据分隔。 有关详细信息,请参阅“Configuring GitHub Pages for your enterprise”。
Before you enable subdomain isolation, you must configure your network settings for your new domain.
- Specify a valid domain name as your hostname, instead of an IP address. For more information, see "Configuring the hostname for your instance."
警告:初始设置后不要更改 GitHub Enterprise Server 的主机名。 更改主机名将会导致意外的行为,甚至包括实例中断和用户安全密钥失效。 如果更改了实例的主机名并遇到问题,请联系GitHub Enterprise 支持或GitHub 高级支持。
- Set up a wildcard Domain Name System (DNS) record or individual DNS records for the subdomains listed above. We recommend creating an A record for
*.HOSTNAMEthat points to your server's IP address so you don't have to create multiple records for each subdomain. - Get a wildcard Transport Layer Security (TLS) certificate for
*.HOSTNAMEwith a Subject Alternative Name (SAN) for bothHOSTNAMEand the wildcard domain*.HOSTNAME. For example, if your hostname isgithub.octoinc.com, get a certificate with the Common Name value set to*.github.octoinc.comand a SAN value set to bothgithub.octoinc.comand*.github.octoinc.com. - Enable TLS on your appliance. For more information, see "Configuring TLS."
Enabling subdomain isolation
-
在 GitHub Enterprise Server 上的管理帐户中,在任一页面的右上角,单击 。
-
如果你尚未在“站点管理员”页上,请在左上角单击“站点管理员”。
-
在“ 站点管理”边栏中,单击“管理控制台”。
-
在“设置”边栏中,单击“主机名”。
-
Select Subdomain isolation (recommended).
-
在“设置”边栏下,单击“保存设置”。
注意:保存 管理控制台 中的设置会重启系统服务,这可能会导致用户可察觉的停机时间。
-
等待配置运行完毕。