Skip to content

Commit 266f1d7

Browse files
authored
Adding gRPC / Tentacle details to existing documentation (#3205)
* Adding gRPC port to inbound port table * Adding initial Tentacle registration note to table for port 443 * Adding Polling Tentacles over HTTPS to HTTPS/port 443 row * Adding KLOS to installation components ports section * Update mod date * Updating mod date * Updating wording for TCP 443 row * Fixing linter errors * Fixing spellcheck error * Fixing linter error
1 parent 8a12a82 commit 266f1d7

2 files changed

Lines changed: 14 additions & 13 deletions

File tree

src/pages/docs/installation/index.mdx

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
layout: src/layouts/Default.astro
33
pubDate: 2023-01-01
4-
modDate: 2024-05-01
4+
modDate: 2026-06-10
55
title: Install Octopus Server
66
subtitle: How to install Octopus Server
77
icon: fa-solid fa-server
@@ -31,7 +31,7 @@ Relevant ports include:
3131
- **Inbound** port 8080: Container Host - service / load balancer to container
3232
- **Inbound** port 443/80 (http/https): Windows Host - load balancer to Windows Server
3333
- **Inbound** port 10943: Polling tentacles (Octopus Deploy agents) running on application hosts or runners (workers).
34-
- **Inbound** port 8443 (gRPC): Octopus Deploy Argo CD Gateway
34+
- **Inbound** port 8443 (gRPC): Octopus Deploy Argo CD Gateway and Kubernetes Live Object Status
3535
- **Outbound** port 10933: Listening tentacles (Octopus Deploy agents) running on application hosts or runners (workers).
3636
- **Outbound** port 22 (SSH): For application hosts or runners (workers).
3737

src/pages/docs/security/hardening-octopus.mdx

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
layout: src/layouts/Default.astro
33
pubDate: 2023-01-01
4-
modDate: 2023-10-04
4+
modDate: 2026-06-10
55
title: Hardening Octopus
66
description: If you are hosting Octopus Deploy yourself, this guide will help you harden your network, host operating system, and Octopus Server itself. This includes things such as configuring malware protection (antivirus), and using allow lists.
77
navOrder: 10
@@ -45,7 +45,7 @@ Depending on your familiarity with Octopus Server, or SQL Server, or networking,
4545

4646
### Upgrade to the latest version
4747

48-
Generally speaking, the latest available version of Octopus Server will be the most secure. You should consider a strategy for keeping Octopus Server updated. We follow a [responsible disclosure policy](#disclosure-policy) so it is possible for you to be aware of any known issues which affect the security and integrity of your Octopus Server.
48+
Generally speaking, the latest available version of Octopus Server will be the most secure. You should consider a strategy for keeping Octopus Server updated. We follow a [responsible disclosure policy](https://octopus.com/security/disclosure) so it is possible for you to be aware of any known issues which affect the security and integrity of your Octopus Server.
4949

5050
### Securely expose your Octopus Server
5151

@@ -150,7 +150,7 @@ All communication between Octopus Server and Tentacles is performed over a secur
150150

151151
#### Disable SSLv3, TLS 1.0 and 1.1 on Windows \{#disable-weak-tls-protocols-windows}
152152

153-
On Windows, the easiest way to disable weak versions of SSL and TLS are by using a tool like [IISCrypto](https://www.nartac.com/Products/IISCrypto) to change the Windows Registry.
153+
On Windows, the easiest way to disable weak versions of SSL and TLS are by using a tool like [IISCrypto](https://www.nartac.com/Products/IISCrypto) to change the Windows Registry.
154154

155155
:::div{.problem}
156156

@@ -198,14 +198,14 @@ Once the TLS versions are disabled, reboot your Server and importantly [verify t
198198

199199
On Ubuntu `20.04` using OpenSSL `1.1.1f` (the latest at time of writing), you can specify the minimum TLS version to use to be `TLSv1.2` by setting the `MinProtocol` directive in the `/etc/ssl/openssl.cnf` OpenSSL config file:
200200

201-
```
201+
```text
202202
[system_default_sect]
203203
MinProtocol = TLSv1.2
204204
```
205205

206206
On Ubuntu `18.04`, if the `MinProtocol` directive doesn't work, you can try this alternative. When using OpenSSL `1.1.1` (the latest at time of writing), you can specify the available TLS Protocols explicitly in the `/etc/ssl/openssl.cnf` OpenSSL config file:
207207

208-
```
208+
```text
209209
[system_default_sect]
210210
Protocol = -SSLv3, -TLSv1, -TLSv1.1, TLSv1.2
211211
```
@@ -320,10 +320,11 @@ The TCP ports listed below are defaults, and can be changed if required - refer
320320
|Name|Type|Source|Target|Allow/Deny|Description|
321321
|---|---|---|---|---|---|
322322
|HTTP|`TCP 80`|Users|Octopus Server|ALLOW|We recommend only using HTTPS over SSL, however it can be convenient to allow HTTP for the initial connection which is then forced to HTTPS over SSL.|
323-
|HTTPS|`TCP 443`|Users, Polling Tentacles, external services|Octopus Server|ALLOW|Required for HTTPS over SSL. Also required if using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) over [Web Sockets](/docs/infrastructure/deployment-targets/tentacle/windows/polling-tentacles-web-sockets).|
323+
|HTTPS|`TCP 443`|Users, Polling Tentacles, external services|Octopus Server|ALLOW|Required for HTTPS over SSL. Also required for initial Tentacle registration and if using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) over [Web Sockets](/docs/infrastructure/deployment-targets/tentacle/windows/polling-tentacles-web-sockets) or [Polling Tentacles over HTTPS](/docs/infrastructure/deployment-targets/tentacle/polling-tentacles-over-port-443).|
324324
|Polling Tentacle|`TCP 10943`|Polling Tentacles|Octopus Server|ALLOW|Required when using [Polling Tentacles](/docs/infrastructure/deployment-targets/tentacle/tentacle-communication/#polling-tentacles) via TCP as deployment targets or external workers.|
325325
|SSH|`TCP 22`|Octopus Server|SSH deployment targets|ALLOW|Allows Octopus Server to securely connect to any SSH deployment targets.|
326326
|RDP|`TCP 3389`|Remote Desktop Users|Octopus Server|ALLOW|Allows your system administrators to perform maintenance tasks on your Octopus Server.|
327+
|gRPC|`TCP 8443`|Kubernetes Live Object Status (KLOS)/ArgoCD Gateway|Octopus Server|ALLOW|Required for Kubernetes Live Object Status (KLOS)/ArgoCD Gateway|
327328
|All inbound|`ALL`|Anywhere|Octopus Server|DENY|Prevent any other unwanted inbound traffic.|
328329

329330
### Outbound rules
@@ -340,19 +341,19 @@ The TCP ports listed below are defaults, and can be changed if required - refer
340341

341342
## Harden your containers
342343

343-
If you run an [Octopus Deploy container](/docs/installation/octopus-server-linux-container), in addition to your usual security measure for running apps out of containers, take the following steps to secure it:
344+
If you run an [Octopus Deploy container](/docs/installation/octopus-server-linux-container), in addition to your usual security measure for running apps out of containers, take the following steps to secure it:
344345

345-
- Move your Docker data directory (the default location is `/var/lib/docker`) so that your containers are stored on a separate partition.
346+
- Move your Docker data directory (the default location is `/var/lib/docker`) so that your containers are stored on a separate partition.
346347
- Assign resources carefully:
347-
- Consider pinning CPUs to namespaces in order to give them a boundary.
348-
- Consider the amount of memory required, if you assign too much the container is susceptible to denial of service attacks, but if you assign too little or make use of memory ballooning performance will be impacted.
348+
- Consider pinning CPUs to namespaces in order to give them a boundary.
349+
- Consider the amount of memory required, if you assign too much the container is susceptible to denial of service attacks, but if you assign too little or make use of memory ballooning performance will be impacted.
349350
- Consider which containers reside in each network namespace as all processes in a namespace can talk to the namespace interface.
350351

351352
The security of your Linux container host and its Docker configuration can be analyzed in detail by using [Docker Bench for Security](https://github.com/docker/docker-bench-security) from the [Center for Internet Security](https://www.cisecurity.org/about-us/). For more generalized advice for your platform they provide their benchmarks as [PDF documents](https://www.cisecurity.org/benchmark/docker/).
352353

353354
## Samples
354355

355-
We have an [Octopus Admin](https://oc.to/OctopusAdminSamplesSpace) Space on our Samples instance of Octopus. You can sign in as `Guest` to take a look at some examples of how we have used Octopus for hardening tasks.
356+
We have an [Octopus Admin](https://oc.to/OctopusAdminSamplesSpace) Space on our Samples instance of Octopus. You can sign in as `Guest` to take a look at some examples of how we have used Octopus for hardening tasks.
356357

357358
## Getting help
358359

0 commit comments

Comments
 (0)