Tentacle registering port only

(Ryan) #1

Hi there,

Loving the octopus deploy.

I am working in a small on-premise environment, i am automating new server tentacle registration, servers are created using cloudformation in AWS.

I have exposed a port for these machines to register with our on-premise Octopus Server, but it seems (as far as i can see) this also exposes the web interface and full control of the octopus server itself, if compromised. Soon, i will no longer be able to vet the accounts being added to the octopus server and i am concerned about security, this octopus server also manages internal resources as well.

I apologise if this has been documented or covered off in the forums already, but i have not been able to find anything.
My question is this, is it possible to expose just a service port for tentacle’s to register without exposing the entire server’s web interface also?

We are working with a shoe string budget and i don’t think our firewall is capable of filtering the correct inbound connections specifically from AWS servers on this port only.

Any help is appreciated, keep up the good work :slight_smile:

(Matt Richardson) #2

Hi Ryan

Thanks for getting in touch! Glad to hear you’re liking Octopus :slight_smile:

To make sure I understand your scenario, I’ll repeat it - let me know if I’ve got it wrong.

You’ve setup an Octopus server and exposed port 443 to the world. You’re setting up tentacles and using the register-with command to register them with the server, and you’re concerned that this setup exposes the whole Octopus server to the world.

I also presume you’re using listening Tentacles, where the Server reaches out to the Tentacles on AWS.

In this case, the register-with command is just a helper that tells the server about the Tentacle. You can do it in other ways, eg, manually, or potentially even using an SQS queue or similar. On your Octopus server (or somewhere that can access the Octopus server), you could have a small app / script that listens for messages on the SQS queue, and registers the tentacle using a script similar to this sample.

If you use this approach, you don’t need to expose any ports on your Octopus server at all.

Hope this helps!

Regards,
Matt

(system) closed #4