Managing software in complex network environments: the Snap Store Proxy

by Holly Hall on 15 January 2024

As enterprises grapple with the evolving landscape of security threats, the need to safeguard internal networks from the broader internet is increasingly important. In environments with restricted internet access, it can be difficult to manage software updates in an easy, reliable way. When managing devices in the field, change management and compliance policies can introduce even more complexity to the update process. You can solve these challenges using snaps and the Snap Store Proxy.

What are snaps?

Snaps are containerised software packages that work across a wide range of Linux distributions. They are secure, highly portable and isolated from the underlying system, ideal for a broad range of use cases across desktops, servers, cloud and IoT. 

Automatic updates are a central feature of snaps, ensuring that users always benefit from the latest version of software and improving security through rapid patching of vulnerabilities. Using the Snap Store, snaps can be published via a low-friction process and automatically updated on users’ systems.These updates ordinarily require an unrestricted network connection.

Updating snaps in restricted networks

Restricted networks either do not have access to the wider internet or the access that they have is limited to certain connections. Isolating networks is important in an enterprise environment for both security and convenience reasons.

However, when considering software updates, it can often be complex to manage the flow of data across different networks. It is important to have confidence in the technology that is used to deliver updates, to ensure that all security vulnerabilities are patched frequently in any network environment.

To solve this issue, we have created the Snap Store Proxy – an on-premise edge proxy to the global Snap Store. The Proxy is a software that users can run in their DMZ (a designated part of the network that is allowed external internet access) to proxy requests from their devices behind the firewall, to the Store. 

The Snap Store Proxy – how it works

The Snap Store Proxy makes it possible to run snaps from within sub-networks and from behind corporate firewalls. Additionally, the Snap Store Proxy creates a local cache of downloaded files, which could potentially be quite large, speeding up any further downloads and minimising bandwidth usage. 

Simple diagram showing how the Snap Store Proxy intercepts and re-writes the response from the upstream store, potentially pointing to a different version.

Integrity of the downloaded snap files is guaranteed through hashing signatures that are built into the design of snaps and implemented in snapd and the Snap Store. The Snap Store Proxy does not alter these signatures, ensuring that the chain of trust is always complete. You can read more about snaps and their design in the documentation.

In some situations, devices must run in a completely air gapped environment. This means that there is no connection to the internet. In these cases, it is still crucial for software to receive software and feature updates to keep devices patched and secure. However due to the lack of internet connection, it may be more difficult to deliver upgrades. The Snap Store Proxy can be operated in offline mode, meaning that snap updates can be sideloaded and manually transferred to the device. This allows software on air gapped devices to remain secure, up-to-date and feature-rich.

Align with enterprise policies through release management

Updating software can be problematic in environments that have external influences in change control and management. This is relevant in regulated industries such as manufacturing or pharmaceuticals. Complete control over updates and management of software is required in these environments, along with an auditable, provable record of any changes. With its override capability, the Snap Store Proxy allows configured devices to remain on a specified revision, no matter what revision has been released upstream.

The Snap Store Proxy grants enterprises greater control over software updates, offering a solution that balances security, compliance, and operational efficiency in diverse network environments.

Read the full whitepaper

Find out more

Contact us about your project 

Newsletter Signup

Related posts

Release management for snaps made simpler

Release management is the process of planning, scheduling, testing and deploying new versions of software. To make this process simpler for snap developers, we have released a new feature called progressive releases. Continue reading to understand what they are, why they are important and how you can use them in the Snap Store. What are […]

Snapcraft.io reloaded: check out the new look and feel

We’re happy to announce that snapcraft.io has a fresh, new look! Time for an update After keeping the same user interface and style for several years, we embarked on a project to redesign snapcraft.io and give it a more modern look. We spent a lot of time analysing how we could improve the store and […]

Improving snap maintenance with automation

Co-written with Sergio Costas Rodríguez. As the number of snaps increases, the need for automation grows. Any automation to help us maintain a group of snaps is welcome and necessary for us to be able to scale. The solution detailed in this article has two main benefits: Any users of snaps that have adopted this […]