TeamCity EC2 Integration, securing communication between server and agent

When configuring a TeamCity build agent, you set the serverUrl property, so that the build agent can communicate requests to the TC server. It is possible to configure that for SSL. A TC build agent has a listening port (default 9090), configured via the ownPort property. The TC server will connect to the build agent port, and communicate via the HTTP protocol. I'm not aware of any way to configure the build agent port to be SSL, and configure the TC server to use SSL when connecting to it.

I believe this means that it would be possible for someone who happens to be on the internet route between a TeamCity server (In your organization's network) and a host in EC2 with a build agent, to sniff and even manipulate the content of requests/responses from the TeamCity server to the TeamCity build agent on EC2.

Is this correct?

thanks
--Spider Linden

1 comment

Spider,

You are right, by default the data transfers from the TeamCity server to TeamCity agents are going through HTTP and are not secured.



If the traffic can go through potentially non-secure hosts, additional network setup (like tunelling the traffic through VPN) should be performed.



In internal server/agent on EC2 setup you will probably want to setup an agent image so that it establishes VPN connection into your organization local network on boot and configure it so that all the traffic between the TeamCity server and the agent go through the secure VPN tunnel.



BTW, you might be interested in a feature request to support Amazon Virtual Private Cloud.




0

Please sign in to leave a comment.