Webinar: Homebrew for Regulated Industries
Register to attend
Security and Compliance
Guide

Configure your firewall for Workbrew

Petros Amoiridis

This guide walks you through configuring your network firewall to allow Workbrew devices to communicate with the Workbrew Console and download Homebrew packages. For a full list of domains and ports, see Network requirements.

Allow Workbrew Console traffic

Add the following FQDN-based allowlist rule for outbound HTTPS traffic on port 443:

console.workbrew.com

This is required for agent check-ins, receiving commands, and downloading agent updates.

Allow Homebrew package traffic

Add the following FQDN-based allowlist rules for outbound HTTPS traffic on port 443:

formulae.brew.sh
ghcr.io
github.com
*.githubusercontent.com

These are required for Homebrew to fetch formula and cask metadata, download pre-built bottles, update taps, and download cask artifacts hosted on GitHub Releases.

Allow cask vendor domains

Cask downloads come directly from each application's vendor. If your firewall restricts outbound traffic, you will need to allowlist vendor domains for each cask your fleet uses.

For example, to allow Google Chrome and Firefox downloads:

dl.google.com
download.mozilla.org

You can find the download URL for a specific cask by running:

brew info --cask <cask-name>

Use an HTTP proxy instead

If your organization routes traffic through an HTTP proxy, the Workbrew Agent auto-detects macOS system proxy settings, including PAC (Proxy Auto-Configuration) files. No additional Workbrew configuration is needed.

For Homebrew package downloads through a proxy, you can set environment variables to route traffic through a caching proxy such as Artifactory or Nexus:

  • Set HOMEBREW_ARTIFACT_DOMAIN to prefix all download URLs with your proxy's address
  • Set HOMEBREW_BOTTLE_DOMAIN to redirect bottle downloads to an internal mirror
  • Set HOMEBREW_API_DOMAIN to redirect API metadata requests to an internal mirror

See Network requirements for the full list of configurable environment variables.

Verify connectivity

After configuring your firewall, verify that a device can reach all required endpoints:

curl -s -o /dev/null -w "%{http_code}" https://console.workbrew.com
curl -s -o /dev/null -w "%{http_code}" https://formulae.brew.sh/api/formula.json
curl -s -o /dev/null -w "%{http_code}" https://ghcr.io/v2/
curl -s -o /dev/null -w "%{http_code}" https://github.com

A 200 or 301 response confirms the endpoint is reachable. A connection timeout or 000 indicates the domain is still blocked.