Security of tentacle communication

From communication efficiency point of view listening tentacle is obviously better, but considering modern security standards Operations people would never allow it for any serious production environment. Polling tentacles have better chances of being approved, but we still must make sure that their communications are secure and cannot be easily intercepted.

Looking at TeamCity they switched default communication protocol from duplex to unidirectional HTTPS from Agents to Server for that very reason. This way Agents can run in isolated networks and still easily and securely communicate to server. I wonder if something similar can be done with Octopus.

So scenario is - server and tentacles are in two different and well isolated networks. Tentacle still has a possibility for HTTPS connections to the outside world and Server has a possibility to receive HTTPS connections from Internet. Can we make it work with Octopus? HTTPS on a custom port is fine, but it must be real HTTPS with SSL offload on the hardware load balancer (F5) level, etc.

Thank you!
Konstantin

Hi Konstantine,

Thanks for getting in touch! Security is a very important and argued topic. I have to disagree that ‘Operations people would never allow for a Tentacle port to be opened in a serious Production environment’, as it happens all the time for many of our customers, including banks and financial agencies. We have blogs, and documentation pages that explain about our security and methods, and we have had independent audits completed where our communication methods have all passed. We are also PCI compliant and have many customers who are also PCI compliant.


For (truely) isolated environments customers have an Octopus Server inside the isolated network, and thus do not have to open anything.

Octopus simply would not exist on the servers around the world if it were not secure and ensure that security to of the highest standards.

Vanessa