To register a new tentacle it is necessary to open port 80 or 443 for the REST-API. Is there a way to allow tentacle registration without also opening the WEB-GUI?
Can I switch off the GUI for an IP/binding or have them on different ports?
regards
Stephan
Hi Stephan,
Thanks for getting in touch!
You can indeed register a tentacle without using the GUI or port 443/80, however it will not be a seamless process. You can install and configure a Tentacle via the command line, I have included some example configuration commands below (you will need to either replace or remove “Instance” as required, as well as provide the SERVER_THUMBPRINT):
"C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe" create-instance --instance "INSTANCE" --config "C:\Octopus\INSTANCE\Tentacle-INSTANCE.config"
"C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe" new-certificate --instance "INSTANCE" --if-blank
"C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe" configure --instance "INSTANCE" --home "C:\Octopus" --app "C:\Octopus\Applications\INSTANCE" --port "10933"
"C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe" configure --instance "INSTANCE" --trust "SERVER_THUMBPRINT" --console
"C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe" service --instance "INSTANCE" --install --start
"C:\Program Files\Octopus Deploy\Tentacle\Tentacle.exe" Show-thumbprint --instance=INSTANCE
Once those commands have been completed you can then use the API directly on your Octopus server with the Thumbprint of the Tentacle (which is the result of the last line).
Sorry if this isn’t the answer you are looking for, unfortunately any direct calls to your server via the API are via 443 or 80 so full automation isn’t possible without those ports.
Please let me know if you have any other questions we can assist with,
Regards,
Alex
Hi Rob,
sorry for not being precise enough, but the tentacle registration process is not my problem. We are already using the script you attached.
My problem is that I want to be able to register new tentacles using the script but don’t want to open the GUI to everybody.
In other words: How can I set up my server that tentacle registration by script is possible but nobody can log in through the GUI? A possible solution would be to have separate ports for tentacle registration that would be exposed to the tentacle network and other ports for the GUI that would only be exposed to an internal admin network.
Is this possible?
Regards
Stephan
Hi Stephan,
Thanks for clarifying. Unfortunately what you are requesting is not possible as the API and the WEB-GUI are in many ways one and the same thing.
We have designed Octopus to be API first, so in the vast majority of cases all the GUI is doing is performing API calls.
Sorry that this isn’t the answer you are looking for,
Regards,
Alex
Hi Stephan,
Just a quick update on this one. If you have a firewall that can filter on a per URL basis you could allow traffic that matches the API pattern http://octopus_server/api/* and disallow all other traffic as all of the GUI requests would conform to http://octopus_server/app#/*.
Please let me know if there is anything else we can help with!
Regards
Alex
Hi Alex,
this is a good hint. I will try to implement this.
But it might be a good improvement for the product to be able to enable/disable the GUI for a specific binding in the web server.
Regards
Stephan
Hi Stephan,
Thanks for the feedback!
If you could log a UserVoice requesting that feature as this is the best way that we have found to gauge community interest for any given feature.
Happy deploying,
Regards,
Alex