Here are some best practices to make the most out of DeployHQ network agents:
Set up auto-startup: Add more automation to your processes by using DeployHQ’s startup script for systemd to ensure the agent launches automatically when the server restarts.
Secure SSH key authentication: Keeps things safe by adding SSH key authentication. You can add the public key (found in project settings) to the authorized_keys of your server.
Deployment scripting: With DeployHQ network agent, you can define pre- and post-deploy scripts for various tasks (e.g., running a database migration, clearing cache).
Deployment monitoring: On the DeployHQ interface, you can view and analyze logs to and confirm success or failure. You can also monitor agents using deploy-agent status on your server.
Ongoing maintenance: Make sure to keep your agents up-to-date to get all the latest security fixes. If you’re using SELinux, you may need to create a policy exception using audit2allow to permit the agent to run correctly.
Deployment Strategies: Push vs. Pull Approach
There are two main deployment techniques that you can take advantage of with DeployHQ: push deployment and pull deployment.
Push deployments are the standard, when your server connection is not blocked or impeded: DeployHQ initiates an SSH connection to your server and successfully goes through. It is suitable for public-facing servers or cloud instances with open ports. As we saw, however, it can be blocked by firewalls, and it may generally prove less secure in tightly controlled networks.
Pull deployments happen via network agent. The agent maintains a persistent outbound connection to DeployHQ, “pulling” instructions from the platform. It allows deployment to private/internal systems, including those behind firewalls or NAT.
If you are working with a server with a public IP address, where inbound SSH connections are allowed, and you want a simple setup with no extra software, push deployments might be what you are looking for.
However, if your server is behind a firewall or NAT, is on a private network or VPN, has security policies in place restricting inbound access, or you need to deploy to multiple internal servers from a single point, pull deployments with the network agent might be more your speed.
DeployHQ Service Configuration Tips for Network Agent
Here is how to set up your network agents, step-by-step:
In DeployHQ, under “Settings,” go to “Network Agents”.
Register a new agent and generate a token.
On your server, start the agent using the given token. You can also interact with the agent directly on your server using SSH commands.
In your server settings (under “Servers & Groups”), select the agent instead of SSH/SFTP.
When using as a proxy, define internal host access in ~/.deploy/agent.access.
Ensure firewalls allow outbound TCP on port 7777 and whitelist DeployHQ IPs.
Use the --debug flag or view ~/.deploy/agent.log for troubleshooting. The agent is supported on Linux, macOS, and Windows, and is installed as a Ruby gem (requires Ruby 2.2+). Also note that you’ll need to be on at least the Business package to use network agents.
Additional Resources
Deploying to a complex or secure network? Dealing with firewalls, VPS, VPNs, or other multi-layered set-ups? The DeployHQ Network Agent makes it easier to deploy securely in even the most locked-down networks.
Check out DeployHQ’s pricing plans to access advanced features like network agent support.
FAQs
What is a DeployHQ network agent, and how does it differ from a standard deploy agent?
DeployHQ Network Agent is a special type of deploy agent created to handle deployments in restricted environments, such as behind firewalls or on private networks. It differs from standard deployments because the server relies on pull deployments instead of push deployments, initiating a secure outbound connection to DeployHQ.
How can I secure my deployments using SSH key authentication with DeployHQ’s network agent?
To keep deployments secure, DeployHQ relies on SSH key authentication. With the network agent, you add your public SSH key to your servers’ authorized keys, which allows deployment scripts to connect automatically.
What are best practices for configuring DeployHQ service and monitoring deployments with a network agent?
Make sure the network agent is set to start automatically when the server restarts, and that your firewall allows outbound TCP connections on port 7777. You can check deployment progress and troubleshoot using DeployHQ’s monitoring tools and logs.
