What steps should I take to enable https in Octopus Deploy?

security-config
how-to
(Bob Walker) #1

In Octopus Deploy, I would like all of my UI and API requests to go through https instead of http. What do I need to configure in Octopus to accomplish that?

(Bob Walker) #3

You have a couple of options when enabling https.

Option 1 - Install the certificate on directly on the server(s)

Follow the steps in our documentation to install a certificate on the server, then configure the Octopus UI to use that certificate using the Octopus Manager.

If Octopus has been in use for a while without http, then can leave port 80 open, but configure HSTS or strict transport security. Essentially that is a header which will tell the browser there is a secure version of the UI and to always use that.

If you are using High Availability, that means each server in the HA cluster will need to have the certificate installed. That means if the certificate expires you have to go to all servers in the HA cluster and update the cert.

Option 2 - Use a load balancer with SSL/TLS termination enabled

Most load balancers and application gateways support SSL/TLS off-loading. The load balancer exposes a URL pointing back to the Octopus Server(s). The traffic to the load balancer and application gateway is encrypted, but the traffic from the load balancer to the Octopus Server(s) is unencrypted. This article does a good job of explaining this.

The advantage to doing this is you have a single place to manage the certificates.

Option 3 - Use a load balancer with SSL/TLS bridging enabled

This is a combination of Option 1 and Option 2. Essentially traffic is encrypted from the user to the load balancer, decrypted and then re-encrypted to go between the load balancer and the server. Doing this does cause a performance hit. It is up to you and your security team on if this should be enabled.