Running Jenkins behind nginx

Jenkins does not use HTTPS. It’s a mistery why it does not. So, in order to run this behind HTTPS, you need a reverse HTTP proxy server in order to add “S” to HTTP.
I spent some time looking for ways to set up HTTPS for Jenkins, and the answer was negative. 🙁
Since you don’t want to expose HTTP over network, make sure Jenkins only answers to the localhost. Then, the nginx must be on the same host, or else there is no point of this exercise.

First, Jenkins is working at jenkins_host:9000 and want https runs on 8000. (I just realized the port number choices are kind of weird.)

Install nginx

This is an easy part – “sudo apt install -y nginx”

Configure nginx

This is a little harder part but here is my current config file.

upstream jenkins_host {
  server localhost:9000 fail_timeout=0; # jenkins_host ip and port
}

server {
  listen 8000 ssl;       # Listen on port 8000 for IPv4 requests with ssl
  server_name     jenkins_host.cleanwinner.com;

  ssl_certificate     /etc/ssl/cleanwinner/jenkins_host-nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/cleanwinner/jenkins_host-nginx-selfsigned.key;

  access_log      /var/log/nginx/jenkins/access.log;
  error_log       /var/log/nginx/jenkins/error.log;

  location ^~ /jenkins {
    proxy_pass          http://localhost:9000;
    proxy_read_timeout  30;

    # Fix the "It appears that your reverse proxy set up is broken" error.
    proxy_redirect      http://localhost:9000 $scheme://jenkins_host:8000;
  }

  location / {
    # Don't send any file out
    sendfile off;

    #
    proxy_pass              http://jenkins_host;
    proxy_redirect http:// https://;

    # Required for new HTTP-based CLI
    proxy_http_version 1.1;

    # Don't want any buffering
    proxy_request_buffering off;
    proxy_buffering off;         # Required for HTTP-based CLI to work over SSL

    #this is the maximum upload size
    client_max_body_size       10m;
    client_body_buffer_size    128k;

    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

    # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
    add_header 'X-SSH-Endpoint' 'jenkins_host.cleanwinner.com:50022' always;
  }
}

So have this file as /etc/nginx/avaialbe-site/jenkins. You need to a link from /etc/nginx/enabled-site to this file in order for this setting to work. “sudo ln -s ../site-available/jenkins” in /etc/nginx/site-enabled is good.

cert files

As you can see, for SSL, you need a SSL certificate. You can create a self-signed, or get something real. For this exercise, it’s not quite relevant so I’ll leave it to you. I’ll talk about making one with pfSense. Stay tuned.

Memo to myself:

sudo openssl req -x509 -nodes -days 999 -newkey rsa:2048 -keyout /etc/ssl/cleanwinner/jenkins_host-nginx-selfsigned.key -out  /etc/ssl/cleanwinner/jenkins_host-nginx-selfsigned.crt

Leave a Reply

Your email address will not be published. Required fields are marked *