Table of Contents
Jenkins in an awesome integration server, that can be used for free. However, having it on a non-standard www port, without a SSL, might be a problem. Accessing it from a public network might create a security threat. If you've got a Apache in front of your server, you can easily provide a secured proxy to Jenkins.
To do so, you need to create a VirtualHost for Apache, which will contain both: Proxy and SSL. Also it would be wise, to redirect standard HTTP requests.
VirtualHost to redirect from HTTP to HTTPS
So, first lets create our HTTP VirtualHost and let's redirect it to HTTPS version:
<VirtualHost *:80> ServerName jenkins.my.domain ServerAlias www.jenkins.my.domain RewriteEngine on ReWriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L] </VirtualHost>
SSL keys
To get things started, we will need a key. To generate it, follow given steps (as root):
sudo su # or any other way to be a root cd /etc/apache2/ mkdir ssl cd ssl/ mkdir crt mkdir key openssl req -new -x509 -days 365 -keyout key/jenkins.key -out crt/jenkins.crt -nodes -subj '/O=Jenkins/OU=Jenkins/CN=jenkins.my.domain'
Just remember to replace all the domain references from "jenkins.my.domain" to an appropriate one. After you execute the above commands, you should have a ssl key and ssl cert generated.
Installing Apache necessary mods
To create a SSL Proxy pass we need to install some Apache mods (still as a root):
a2enmod proxy a2enmod proxy_http a2enmod rewrite a2enmod ssl /etc/init.d/apache2 restart
HTTPS Jenkins Virtual Host
And finally, the virtual host for secured Jenkins proxy pass:
<VirtualHost *:443> ServerName jenkins.my.domain ServerAlias www.jenkins.my.domain SSLEngine On SSLCertificateFile /etc/apache2/ssl/crt/jenkins.my.domain.crt SSLCertificateKeyFile /etc/apache2/ssl/key/jenkins.my.domain.key ProxyRequests Off ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ ProxyPassReverse / http://my.jenkins.host/ <Proxy http://localhost:8080/*> Order allow,deny Allow from all </Proxy> ProxyPreserveHost on </VirtualHost>
November 18, 2013 — 15:38
Your article just helped me, thanks for sharing!
December 2, 2013 — 20:39
If the visiting browser is still accessing the Jenkins page via http(80), (which is just then being directed internally to 443, and THAT traffic encrypted internally) then the external access could still be insecure.
The user needs to access the Jenkins site externally via https:// (which will use 443 directly), accepting the signed or unsigned certificate for their browser to encrypt all traffic coming and going from/to your server.
December 2, 2013 — 20:40
Looks like you’re only securing the internal localhost loopback virtualhost, rather than the traffic externally.