Incomplete documentation of CrowdSec outbound domains (egress traffic)

[fkhn]

Incomplete documentation of CrowdSec outbound domains (egress traffic)

The official CrowdSec documentation about network management lists the domains used by CrowdSec components for outbound HTTPS connections.
However, when running CrowdSec in an environment with a default-deny outbound policy, additional domains are required in practice.

---

Missing / inconsistent domains

• hub-data.crowdsec.net → CNAME to *.cloudfront.net
• cdn-hub.crowdsec.net (instead of hub-cdn.crowdsec.net in the docs) → CNAME to *.cloudfront.net
• www.cloudflare.com (used indirectly when retrieving some assets)

---

Packagecloud specific

The documentation only mentions packagecloud.io, but in practice CloudFront is also required:

• d3fo0g5hm7lbuv.cloudfront.net → documented by packagecloud.io

---

Expected behavior

The list of outbound domains in the official documentation should be complete and accurate, so that administrators operating under a default-deny outbound policy can correctly whitelist the required domains/IPs.

---

Suggested fix

• Add hub-data.crowdsec.net
• Clarify hub-cdn.crowdsec.net vs. cdn-hub.crowdsec.net
• Mention the dependency on CloudFront (AWS) and Cloudflare where applicable
• Add d3fo0g5hm7lbuv.cloudfront.net as required for packagecloud.io (see packagecloud.io security documentation)

---