Hi,
I have a squid proxy that sits between the communication of the Octopus Server and Tentacle. I have my polling tentacles setup to use the squid proxy.
I am using Wireshark to monitor the traffic between the Octopus Server and Tentacle.
I am seeing that my credentials are visible in plain text and I want them to be encrypted.
Is there anything form the Octopus Deploy side that can be done to achieve this or is all on the squid.conf file configuration?
Kind Regards,
Micheál Power
Hi Micheál,
Thanks for reaching out.
Unfortunately, there isn’t anything you can do from the Octopus side. You should be able to get your proxy to strip everything out when it sends it to Octopus, though.
Please let me know if that helps or if you need further assistance.
Thanks,
Jeremy
Hi @jeremy.miller,
Thanks for your reply.
How do I go about stripping everything out before it gets sent to Octopus?
Kind Regards,
Micheal Power
Hi Micheal,
You’re very welcome.
Are the credentials you’re seeing for the proxy? At what part of your infrastructure are you using wireshark to monitor the traffic?
Please let me know.
Thanks,
Jeremy
Hi @jeremy.miller,
Yes the credentials I am seeing are the proxy credentials.
So what I am doing is stopping the tentacle then starting wireshark to record and then I start the tentacle again and it captures the traffic communications.
It connects to one of our Octopus nodes through port 10943 and then in the Proxy-Authorization section the proxy credentials are displsyed.
Kind Regards,
Micheal Power
Hey Michael,
Thanks for the information. I’ve made your screenshot private.
I’m going to talk to security regarding this and one of us will get back to you soon.
Please let me know if you have any questions or concerns in the meantime.
Thanks,
Jeremy
Hey Michael,
I spoke with our security team and they said that we’re following the spec on how to use basic auth with HTTP proxies: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Proxy-Authorization
If you don’t want to pass credentials, I think your best bet is to whitelist the tentacle in squid so it doesn’t need to authorize.
Please let me know if that helps or if you have any further questions.
Thanks,
Jeremy
Hi @jeremy.miller,
Thanks for the feedback. I am going to try and use Digest Authentication and see if that encrypts my proxy password.
Kind Regards,
Micheál Power
Hey Micheál,
You’re very welcome. That sounds like a plan, thanks for letting me know.
Please reach out to us if you run into any issues.
Thanks,
Jeremy
Hi @jeremy.miller,
I have followed the tutorial (http://etutorials.org/Server+Administration/Squid.+The+definitive+guide/Chapter+12.+Authentication+Helpers/12.3+HTTP+Digest+Authentication/).
I have my proxy between the communication of Octopus Deploy and the Octopus Tentacle.When they communicate I am testing the connection with Wireshark to see if the proxy credentials are displayed in clear text. I was using the basic authentication whish does display the credentials in plain text.
Now I am trying to implement Digest Authentication but still the proxy credentials are displaying in plain text and not encrypted.In my squid.conf I have added the below lines:
auth_param digest program /usr/lib64/squid/digest_ldap_auth - we are using ldap user to connect
auth_param digest children 8
auth_param digest realm Access to Squid
auth_param digest nonce_garbage_interval 10 minutes
auth_param digest nonce_max_duration 45 minutes
auth_param digest nonce_max_count 100
auth_param digest nonce_strictness on
acl ldap-auth proxy_auth REQUIRED
http_access allow ldap-auth
I restart squid after I made the changes but still not encrypting the proxy credentials. Is there something else I need to do that I have missed?
I didnt do anything with the12.3.1 password section.
Kind Regards,
Micheál Power
Hey Micheál,
Thanks for the information.
Squid is a bit out of my wheelhouse. I can go grab some colleagues and see who can help here. In the meantime, is there any reason you can’t white list the tentacle IP address on your Squid, so that there are no credentials necessary?
Thanks,
Jeremy
Hi @jeremy.miller,
No reason, this is just the route I am taking.
If you could get someone to take a look that would be great.
Kind Regards,
Micheál Power
Hi Micheál,
I’ve discussed this with a colleague of mine and I think there’s no way to avoid the plain text credentials over HTTP, but I am going to check with a colleague who works in Australia to be sure. I think we may have to inevitably go the white-list route.
I will keep you updated.
Please let me know if you have any questions in the meantime.
Thanks,
Jeremy
Hi Micheál,
I heard back. Bolstering authentication with proxies is something we’d like to do in the future but it currently isn’t on our roadmap. In the meantime, it looks like white listing the ip address of the tentacle for squid is your best path forward.
I’m sorry I don’t have better news for you.
Please let me know if you have any other questions or concerns and I hope you have a great rest of your week.
Thanks,
Jeremy
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.