(November 30, 2015 corrected typo in new package URLs)
If you need to whitelist Canopy-related URLs on your proxy server, the best option would be to whitelist all https access to enthought.com. This should cover everything, including future versions of Canopy.
Absent that, you could specify the following root URLs for https access (the actual URLs used will include variable paths and parameters after "enthought.com/"). This is likely to cover everything, at least for now:
and for access in a web browser: