Control Network Access to Gemini Code Assist with User Domain Restrictions

This document provides instructions for network administrators to configure their networks to restrict access to Gemini Code Assist based on user domains. This feature allows organizations to control which users within their network can utilize Gemini Code Assist, enhancing security and preventing unauthorized access.

Overview

You can configure Gemini Code Assist enforce user domain restrictions using a Person-in-the-Middle (PITM) proxy approach. This involves injecting a custom HTTP header, X-GeminiCodeAssist-Allowed-Domains, into requests made to Gemini Code Assist. The header specifies a list of allowed domains, and the Gemini Code Assist backend only processes requests from users whose authenticated domain matches one of the allowed domains.

Configure PITM proxy

To configure your PITM proxy, follow these steps:

  1. Make sure your network utilizes a PITM proxy capable of intercepting and modifying HTTPS traffic.

  2. Configure the proxy to intercept all outgoing requests to Gemini Code Assist endpoints.

  3. Configure the proxy to inject the X-GeminiCodeAssist-Allowed-Domains header into each request. The header should contain a comma-separated list of allowed domains (e.g., example.com, yourcompany.net). Make sure that domain names are separated by commas and do not include the @ symbol.

    If headers aren't resolved into at least one valid domain, restrictions won't apply. For example, an empty header won't apply any restrictions. domain won't apply any restrictions as it isn't a valid domain name.

SSL/TLS interception

If your proxy needs to decrypt HTTPS traffic to inject the header, make sure it's configured for SSL/TLS interception. This typically involves:

  • Generating a certificate for the proxy.

  • Installing the proxy's certificate on user devices to establish trust and avoid certificate errors.

Header validation

  • Gemini Code Assist automatically validates the X-GeminiCodeAssist-Allowed-Domains header and enforce the restrictions.

  • If the header doesn't resolve to at least one valid domain, the validation won't be performed.

  • If the user's domain isn't in the allowed list, the request is rejected.