Squid Proxy - connection initialization Failed

We have setup a Squid Proxy (To listen on https 10933 and do a reverse proxy )and configured multiple tentacles via this, when I access a tentacle using the proxy IP/DNS from a browser I get

Octopus Tentacle configured successfully

If you can view this page, your Octopus Tentacle is configured and ready to accept deployment commands.

This landing page is displayed when no X509 certificate is provided. Only Octopus Servers with a trusted certificate can control this Tentacle.

However when I try add the tentacle as a listening tentacle and try connecting from the Octopus Server
Server version: 4.1.10+Branch.master.Sha.b902062b52116fabe954e2aab57870f9cedcd9c5
I get
An error occurred when sending a request to ‘https://TentacleagentURL:10933/’, before the request could begin: A timeout while waiting for the proxy server at ::ffff:ProxyServerIP on port 10933 to respond.
A timeout while waiting for the proxy server at ::ffff:PROXYSERVERIP on port 10933 to respond

Retry attempt 4
January 28th 2019 17:53:31Info
Opening a new connection
January 28th 2019 17:53:31Info
Creating a proxy client
January 28th 2019 17:53:31Info
Connecting to proxy at PROXYSERVERIP:10933
January 28th 2019 17:53:31Info
Sending unauthorized server CONNECT command for TENTACLEAGENTDNS.com:10933 to proxy
January 28th 2019 17:53:47Error
Unexpected exception executing transaction. Halibut.Transport.Proxy.Exceptions.ProxyException: A timeout while waiting for the proxy server at ::ffff: PROXYSERVERIP on port 10933 to respond.
at Halibut.Transport.Proxy.HttpProxyClient.WaitForData(NetworkStream stream)
at Halibut.Transport.Proxy.HttpProxyClient.SendConnectionCommand(String host, Int32 port)
at Halibut.Transport.Proxy.HttpProxyClient.CreateConnection(String destinationHost, Int32 destinationPort, TimeSpan timeout)
at Halibut.Transport.SecureClient.CreateConnectedTcpClient(ServiceEndPoint endPoint)
at Halibut.Transport.SecureClient.EstablishNewConnection()
at Halibut.Transport.SecureClient.ExecuteTransaction(Action1 protocolHandler) January 28th 2019 17:53:50Error Unexpected exception executing transaction. Halibut.Transport.Proxy.Exceptions.ProxyException: A timeout while waiting for the proxy server at ::ffff: PROXYSERVERIP on port 10933 to respond. at Halibut.Transport.Proxy.HttpProxyClient.WaitForData(NetworkStream stream) at Halibut.Transport.Proxy.HttpProxyClient.SendConnectionCommand(String host, Int32 port) at Halibut.Transport.Proxy.HttpProxyClient.CreateConnection(String destinationHost, Int32 destinationPort, TimeSpan timeout) at Halibut.Transport.SecureClient.CreateConnectedTcpClient(ServiceEndPoint endPoint) at Halibut.Transport.SecureClient.EstablishNewConnection() at Halibut.Transport.SecureClient.ExecuteTransaction(Action1 protocolHandler)

Squid Logs say
NONE/400 40243 NONE error:invalid-request - HIER_NONE/- text/html

I can provide more logs from squid and octopus server/tentacle
Please let me know how to go about solving this

Hi,

Thanks for getting in touch! I’m sorry to hear you are seeing problems communicating between your Octopus Server and your Listening Tentacles when there is a reverse proxy sitting infront of the Listening Tentacles.

I’m interested to know if your proxy server is configured to perform SSL offloading. Unfortunately Octopus and Tentacle communication doesn’t support SSL offloading, it must be an uninterrupted TLS tunnel to work properly.

One option I’m considering is perhaps Octopus Server should not be aware that there is a proxy in the mix and you could try configure your Octopus Server to talk directly to the proxy’s IP address, as you have tested in the web browser.

Kind regards,
Lawrence.

THanks Lawrence

I have tried to configure the proxy in the octopus server and used it to add the tentacle with same result

Currently we have the octopus server and the tentacle s in our internal network and our client wants to move the octopus server into their network but keep all tentacles in our network

They are not open to the idea of opening our network range to all communications to all tentacles

So we configured the squid as reverse proxy and put all tentacles behind one ip

Would you be able to tell me the best practice in setting the squid for this sceanrio

A sample config file would help as well

Also i am not sure how to set the uninterrupted tls tunnel using squid

Again thanks for the quick reply

Let us know

Chander

Hi Chander,
Thanks for keeping in touch! Based on your initial logs, it appears as though you initially had your Tentacle communication configured in Octopus to run through the proxy server. In other words, your Octopus Server had something configured in the “Proxy” Settings of the Listening Tentacle. I’m interested in knowing what your Octopus Portal UI looks like now that you have tried to configure the proxy in the Octopus Server?

For example, I think for the proxy server to work successfully in the case of using a reverse proxy server, we might need clear the configuration for the proxy settings in Octopus, while at the same time telling Octopus to connect to the Proxy Servers’ IP address, instead of the Tentacle’s IP address. Here is a screenshot of the Octopus Portal for these settings. You can arrive here by logging into your Octopus Server > Infrastructure > deployment Targets > Select your listening Tentacle.

I made this assumption because the reverse proxy is typically not known to the clients accessing the servers behind them.

In order to satisfy the requirement of having an uninterrupted TLS tunnel, you would need to ensure your Proxy server has the “Intercept SSL Traffic” disabled.

I hope this has helped!

Kind regards,
Lawrence.