Agent-Server Communication

[alan-czajkowski]

Why is the GoCD agent communication setup in such a way that it must first talk to the server via HTTP (this is terrible to begin with, why?), and then switches over to HTTPs ... the switch-over is pointless.

In any plain vanilla client-server communication with MVC or ReST-ful endpoints, having the option of HTTP or HTTPs is good and should be a choice made by the person installing the application. The fact that GoCD doesn't follow communication conventions is incredibly frustrating and why the server concerns itself with encryption is unnecessary (considering modern infrastructure topologies, where load balancers and thin web servers (i.e. nginx, apache, etc.) sit in front of services, handle encryption, and do SSL termination). What communication conventions you ask? How about when you choose one or the other, HTTP vs HTTPs, the server only uses one instead of always opening both and then not allowing a proxy situation to happen because it sends the HTTPs port to the agent (bad! this breaks proxy scenarios!).

I simply want this:

• everything talks to Go server via a proxy (nginx)
• nginx lives on the same box as the Go server
• i only want port 443 (HTTPs) open (which will be used by nginx)
• whatever talks to the Go server (whether it's the agent or a browser), it only goes through HTTPs by hitting nginx
• SSL terminates at nginx and the request from nginx to the Go server is simply HTTP

everything else in this world can behave like this and can be configured like this, why does GoCD make this scenario incredibly difficult?

[lenucksi]

Seems like #2731 and #2732 might be related.

[arvindsv]

Correct. So, I'll close this issue. Those are much better issues to have a proper conversation over, than a rant.

[arvindsv]

Also, the HTTP before HTTPS thing has been removed.

[hprasad068]

@arvindsv i'm not sure if this was discussed earlier can you confirm if it's possible to disable 8153 ?

[arvindsv]

@ketan knows this best. I don't think it is possible for GoCD to be told not to open port 8153 (yet). However, it has been possible forever to have a proxy in front of it to hide it.

Since GoCD 19.5.0, it is possible to terminate TLS even for agents on a reverse proxy instead of having to expose port 8154 to the outside world.