Skip to content

Instantly share code, notes, and snippets.

@quant-daddy

quant-daddy/https_jenkins.md

Created February 25, 2020 00:01
Show Gist options
  • Save quant-daddy/740d651caf3e72a9f48ee2effc4a78f1 to your computer and use it in GitHub Desktop.
Save quant-daddy/740d651caf3e72a9f48ee2effc4a78f1 to your computer and use it in GitHub Desktop.
Download ZIP
Setup https for jenkins using let's encrypt for free.
Raw
https_jenkins.md

First install certbot: (instrcution fotr ubuntu below)

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

We are going to use this command to issue the certificate:

sudo certbot -d subdomain.yourdomain.tld --manual --preferred-challenges dns certonly

Right after you run the command, it will ask give you a token to add a TXT record to your domain, something like this:

Please deploy a DNS TXT record under the name
_acme-challenge.subdomain.yourdomain.tld with the following value:

<some_token>

Add the txt record under the domain _acme-challenge.subdomain.yourdomain.tld And boom you get the certification in a subfolder of /etc/letsencrypt/live/ Use the certificate in an nxinx server. Note that the certificate is generated with the name fullchain.pem and the certification key is with the name privkey.pem

Now let's say you want to setup https for your jenkins instance. Let's use nginx for the https server. Create a file under /etc/nginx/conf.d for with any name, say jenkins.conf Add the content below: The upstream block is the one which uses the running jenkins in localhost:8080 We redirect port 80 to https (see the second block) the server_name entry corresponds to the host header which the nginx will allow. Finally the line proxy_pass http://jenkins; forward the https request to the jenkins instance.

upstream jenkins {
  server 127.0.0.1:8080 fail_timeout=0;
}
 
server {
  listen 80;
  server_name subdomain.yourdomain.tld;
  return 301 https://$host$request_uri;
}
 
server {
  listen 443 ssl;
  server_name subdomain.yourdomain.tld;
 
  ssl_certificate /etc/letsencrypt/live/subdomain.yourdomain.tld/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/subdomain.yourdomain.tld/privkey.pem;
 
  location / {
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect http:// https://;
    proxy_pass              http://jenkins;
    # Required for new HTTP-based CLI
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_buffering off; # Required for HTTP-based CLI to work over SSL
    # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
    add_header 'X-SSH-Endpoint' 'jenkins.domain.tld:50022' always;
  }
}

Check nginx config: sudo nginx -t Reload nginx: sudo nginx -s reload Don't forget to allow both http and https traffic into your host (for instance by changing ingress rule on AWS)

References: Let's encrypt DNS verification: https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation Jenkins https: https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment