Skip to content

Instantly share code, notes, and snippets.

@hiddentao
Last active January 4, 2016 08:09
Show Gist options
  • Save hiddentao/8593447 to your computer and use it in GitHub Desktop.
Save hiddentao/8593447 to your computer and use it in GitHub Desktop.
Setting up Nginx SSL-PFS + Jenkins on Ubuntu 12.04
# Install Jenkins
wget -q -O - http://pkg.jenkins-ci.org/debian/jenkins-ci.org.key | sudo apt-key add -
sudo sh -c 'echo deb http://pkg.jenkins-ci.org/debian binary/ > /etc/apt/sources.list.d/jenkins.list'
sudo apt-get update
sudo apt-get install jenkins
ACTION: check that Jenkins is running on yourdomain.com:8080
# SSL certificates with Perfect Forward Secrecy
# (assuming /etc/ssl/certs/yourdomain.com.pem already exists)
openssl dhparam -rand - 1024 >> /etc/ssl/certs/yourdomain.com.pem
# Nginx
apt-get install nginx
rm /etc/nginx/sites-enabled/default (OPTIONAL: only if you don't want default nginx page showing)
# setup Nginx config
nano /etc/nginx/sites-available/yourdomain.com
server {
listen 443;
server_name yourdomain.com;
ssl on;
ssl_certificate /etc/ssl/certs/yourdomain.com.pem;
ssl_certificate_key /etc/ssl/certs/yourdomain.com.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+RC4:EDH+aRSA:EECDH:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
location / {
proxy_pass http://127.0.0.1:8080;
}
}
# restart nginx
ln -s /etc/nginx/sites-available/build /etc/nginx/sites-enabled/build
/etc/init.d/nginx restart
# FINAL CHECKLIST:
# - ensure your firewall is setup to only allow incoming TCP connections on ports 22 and 443.
ACTION: check that https://yourdomain.com shows Jenkins
ACTION: check perfect forward secrecy by visitng https://www.ssllabs.com/ssltest/ and entering your URL.
The above PFS settings were obtained from http://baudehlo.wordpress.com/2013/06/24/setting-up-perfect-forward-secrecy-for-nginx-or-stud/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment