You can set up subdomain isolation to securely separate user-supplied content from other portions of your GitHub Enterprise appliance.
In this guide:
About subdomain isolation
Subdomain isolation mitigates cross-site scripting and other related vulnerabilities. For more information, see "Cross-site scripting" on Wikipedia. We highly recommend that you enable subdomain isolation on your GitHub Enterprise instance.
When subdomain isolation is enabled, GitHub Enterprise replaces several paths with subdomains.
Path without subdomain isolation | Path with subdomain isolation |
---|---|
http(s)://hostname/assets/ |
http(s)://assets.hostname/ |
http(s)://hostname/avatars/ |
http(s)://avatars.hostname/ |
http(s)://hostname/codeload/ |
http(s)://codeload.hostname/ |
http(s)://hostname/gist/ |
http(s)://gist.hostname/ |
http(s)://hostname/gist-assets/ |
http(s)://gist-assets.hostname/ |
http(s)://hostname/gist-raw/ |
http(s)://gist-raw.hostname/ |
http(s)://hostname/media/ |
http(s)://media.hostname/ |
http(s)://hostname/pages/ |
http(s)://pages.hostname/ |
http(s)://hostname/raw/ |
http(s)://raw.hostname/ |
http(s)://hostname/render/ |
http(s)://render.hostname/ |
http(s)://hostname/reply/ |
http(s)://reply.hostname/ |
http(s)://hostname/uploads/ |
http(s)://uploads.hostname/ |
Prerequisites
Warning: If subdomain isolation is disabled, we recommend also disabling GitHub Pages on your appliance. There will be no way to isolate user-supplied GitHub Pages content from the rest of your appliance's data. For more information, see "Configuring GitHub Pages on your appliance."
Before you enable subdomain isolation, you must configure your network settings for your new domain.
Specify a valid domain name as your hostname, instead of an IP address. For more information, see "Configuring a hostname." We don't officially support changing the hostname for your GitHub Enterprise instance after you configure it during initial setup.
Set up a wildcard Domain Name System (DNS) record or individual DNS records for the subdomains listed above. We recommend creating an A record for
*.[hostname]
that points to your server's IP address so you don't have to create multiple records for each subdomain.- Get a wildcard Transport Layer Security (TLS) certificate for
*.[hostname]
with a Subject Alternative Name (SAN) for both[hostname]
and the wildcard domain*.[hostname]
. For example, if your hostname isgithub.octoinc.com
, get a certificate with the Common Name value set to*.github.octoinc.com
and a SAN value set to bothgithub.octoinc.com
and*github.octoinc.com
. - Enable TLS on your appliance. For more information, see "Configuring TLS."
Enabling subdomain isolation
In the upper-right corner of any page, click .
In the left sidebar, click Management Console.
In the left sidebar, click Hostname.
Select Subdomain isolation (recommended).
- Under the left sidebar, click Save settings.