A secure proxy that allows DeployHQ to forward connections to servers behind firewalls. The agent establishes an outbound TLS connection to DeployHQ's servers and proxies deployment traffic to allowed destinations based on an IP/network allowlist.
TLS (port 7777)
DeployHQ <————————————————————————> Deploy Agent ————> Your Server(s)
mutual authentication (behind firewall) proxy
The agent connects outbound to DeployHQ, so no inbound firewall rules are needed. Connections to destination servers are restricted to an explicit allowlist of IPs and networks.
Go rewrite of the deploy-agent Ruby gem — single static binary, no Ruby runtime required.
curl -sSL https://deployhq.com/install/network-agent | bashOr download the binary for your platform from the releases page and
place it in your PATH.
network-agent setup # Generate certificate and access list (~/.deploy/)
network-agent start # Start agent in background
network-agent stop # Stop running agent
network-agent restart # Stop then start
network-agent run # Run in foreground (useful for systemd, Docker)
network-agent status # Show whether agent is running
network-agent accesslist # Display the current IP access list
network-agent install # Install as a system service (launchd on macOS, systemd on Linux)
network-agent check # Verify configuration and test server connectivity
network-agent update # Update to the latest version
network-agent version # Print agent version
Add -v / --verbose before the command for debug logging.
| File | Description |
|---|---|
agent.crt |
Client certificate (provisioned by setup) |
agent.key |
Private key |
agent.access |
Allowed destination IPs/CIDRs (one per line) |
agent.pid |
PID of the running background process |
agent.log |
Log file (written by background process) |
# This file lists IPs/networks the agent is allowed to connect to.
# Lines starting with # are comments; empty lines are ignored.
# Only the first whitespace-separated field on each line is used.
127.0.0.1
::1
192.168.1.0/24
10.0.0.0/8
Users already running the Ruby gem can migrate in place — the Go binary uses the
same ~/.deploy/ configuration files:
deploy-agent stop(Ruby gem)- Install the Go binary:
curl -sSL https://deployhq.com/install/network-agent | bash network-agent start(Go)
To roll back: network-agent stop, then gem install deploy-agent and deploy-agent start.
| Variable | Default | Description |
|---|---|---|
DEPLOY_AGENT_PROXY_IP |
agent.deployhq.com |
Agent server hostname/IP |
DEPLOY_AGENT_CERTIFICATE_URL |
https://api.deployhq.com/api/v1/agents/create |
Certificate provisioning endpoint |
DEPLOY_AGENT_NOVERIFY |
unset | Set to skip TLS server verification |
go build ./cmd/network-agent # build binary
make test # run all tests with race detector
make build-all # cross-compile all platforms
Requires Go 1.22+. Zero external dependencies.
Wire-compatible with the Ruby network-agent v1.4.1. See
internal/protocol/framing.go for the full
binary protocol specification.