From the first day that we launched Deploy, we've been asked the same question on a monthly basis:
Can I deploy to my servers behind a VPN?
The answer to this has always been no. Although we have always wanted to satisfy these requests, we've not come up with a suitable solution that would allow us to easily support multiple types of VPN seamlessly. Until now...
We're delighted we're now able to help out those users who need to use a service like Deploy but who's servers are locked away behind a VPN. Today we're launching what we call the Deploy Agent. The Deploy Agent is a tiny utility that runs on a server behind your VPN and connects securely back to us allowing us to access servers behind the VPN.
Woah! Isn't this a bad idea?
The Deploy Agent has been constructed with security in mind and this has been very much the forefront of our development process. Here's a full list of steps we've taken to ensure the security of your network & servers:
When your agent connects back to us it will verify our certificate against a public key distributed with the agent itself. This protects you from inadvertently connecting to an untrusted party.
All communication between Deploy and the agent is encrypted using industry standard TLS with a 4096-bit private key & certificate issued by own our internal certificate authority just for this purpose.
We distribute the agent package from our own website (rather than distributing via. RubyGems.org) to avoid any potential tampering with the package. The SHA digest of the file is provided for additional verification during the installation process.
The agent can be configured to ensure that we can only connect to a list of allowed addresses. By default, it is configured to allow access only to the host it's running on, but additional destination servers can easily be added in the
The full source code for the agent is provided on GitHub for your own review. We would welcome any feedback you might have too.
How can I use it?
To use the Deploy Agent you'll just need to apply the add-on, at £5/month to your account.
To get started, just log into your account, choose Settings and then choose Network Agents. From here you can choose to create a new agent. You'll be given instructions on how to install the agent and configure it to securely connect back to us. There are a couple of system requirements:
- You'll need a Linux server or OS X machine. You'll be fine with Ubuntu, CentOS, Debian or Fedora.
- You'll need Ruby 2.0 or higher installed on the server. This is usually pretty simple.