Hi,
I have a squid proxy that sits between the communication of the Octopus Server and Tentacle. I have my polling tentacles setup to use the squid proxy.
I am using Wireshark to monitor the traffic between the Octopus Server and Tentacle.
I am seeing that my credentials are visible in plain text and I want them to be encrypted.
Is there anything form the Octopus Deploy side that can be done to achieve this or is all on the squid.conf file configuration?
Unfortunately, there isn’t anything you can do from the Octopus side. You should be able to get your proxy to strip everything out when it sends it to Octopus, though.
Please let me know if that helps or if you need further assistance.
Hi @jeremy.miller,
Yes the credentials I am seeing are the proxy credentials.
So what I am doing is stopping the tentacle then starting wireshark to record and then I start the tentacle again and it captures the traffic communications.
It connects to one of our Octopus nodes through port 10943 and then in the Proxy-Authorization section the proxy credentials are displsyed.
I have followed the tutorial (http://etutorials.org/Server+Administration/Squid.+The+definitive+guide/Chapter+12.+Authentication+Helpers/12.3+HTTP+Digest+Authentication/).
I have my proxy between the communication of Octopus Deploy and the Octopus Tentacle.When they communicate I am testing the connection with Wireshark to see if the proxy credentials are displayed in clear text. I was using the basic authentication whish does display the credentials in plain text.
Now I am trying to implement Digest Authentication but still the proxy credentials are displaying in plain text and not encrypted.In my squid.conf I have added the below lines:
auth_param digest program /usr/lib64/squid/digest_ldap_auth - we are using ldap user to connect
auth_param digest children 8 auth_param digest realm Access to Squid auth_param digest nonce_garbage_interval 10 minutes auth_param digest nonce_max_duration 45 minutes auth_param digest nonce_max_count 100 auth_param digest nonce_strictness on
I restart squid after I made the changes but still not encrypting the proxy credentials. Is there something else I need to do that I have missed?
I didnt do anything with the12.3.1 password section.
Squid is a bit out of my wheelhouse. I can go grab some colleagues and see who can help here. In the meantime, is there any reason you can’t white list the tentacle IP address on your Squid, so that there are no credentials necessary?
I’ve discussed this with a colleague of mine and I think there’s no way to avoid the plain text credentials over HTTP, but I am going to check with a colleague who works in Australia to be sure. I think we may have to inevitably go the white-list route.
I will keep you updated.
Please let me know if you have any questions in the meantime.
I heard back. Bolstering authentication with proxies is something we’d like to do in the future but it currently isn’t on our roadmap. In the meantime, it looks like white listing the ip address of the tentacle for squid is your best path forward.
I’m sorry I don’t have better news for you.
Please let me know if you have any other questions or concerns and I hope you have a great rest of your week.