Tag: apache

Jenkins behind Apache with HTTPS – Proxy pass with SSL

Jenkins in an awesome integration server, that can be used for free. However, having it on a non-standard www port, without a SSL, might be a problem. Accessing it from a public network might create a security threat. If you've got a Apache in front of your server, you can easily provide a secured proxy to Jenkins.

To do so, you need to create a VirtualHost for Apache, which will contain both: Proxy and SSL. Also it would be wise, to redirect standard HTTP requests.

VirtualHost to redirect from HTTP to HTTPS

So, first lets create our HTTP VirtualHost and let's redirect it to HTTPS version:

<VirtualHost *:80>
  ServerName jenkins.my.domain
  ServerAlias www.jenkins.my.domain

  RewriteEngine on
  ReWriteCond %{SERVER_PORT} !^443$
  RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

SSL keys

To get things started, we will need a key. To generate it, follow given steps (as root):

sudo su # or any other way to be a root
cd /etc/apache2/
mkdir ssl
cd ssl/
mkdir crt
mkdir key
openssl req -new -x509 -days 365 -keyout key/jenkins.key -out crt/jenkins.crt -nodes -subj  '/O=Jenkins/OU=Jenkins/CN=jenkins.my.domain'

Just remember to replace all the domain references from "jenkins.my.domain" to an appropriate one. After you execute the above commands, you should have a ssl key and ssl cert generated.

Installing Apache necessary mods

To create a SSL Proxy pass we need to install some Apache mods (still as a root):

a2enmod proxy
a2enmod proxy_http
a2enmod rewrite
a2enmod ssl

/etc/init.d/apache2 restart

HTTPS Jenkins Virtual Host

And finally, the virtual host for secured Jenkins proxy pass:

<VirtualHost *:443>
  ServerName jenkins.my.domain
  ServerAlias www.jenkins.my.domain

  SSLEngine On
  SSLCertificateFile    /etc/apache2/ssl/crt/jenkins.my.domain.crt
  SSLCertificateKeyFile /etc/apache2/ssl/key/jenkins.my.domain.key

  ProxyRequests     Off
  ProxyPass         /  http://localhost:8080/
  ProxyPassReverse  /  http://localhost:8080/
  ProxyPassReverse  /  http://my.jenkins.host/
  <Proxy http://localhost:8080/*>
    Order allow,deny
    Allow from all
  </Proxy>
  ProxyPreserveHost on
</VirtualHost>

Apache (Passenger) Maintenance mode for Ruby on Rails application with Capistrano

Same of Nginx and Puma: Nginx (and Puma behind) maintenance mode for Rack/Rails applications with Capistrano

There is a time, when we need to switch our apps into maintenance mode. Maybe it is because of some data processing stuff, maybe because of backups, Capistrano or whatever good reason you might have. To be honest it doesn't matter why. What does matter, is how we should handle working users of our apps. Of course all the downtimes should take place when there is the smallest amount of users online. In most cases it might be a good idea to switch application off in the middle of the night (or on Sunday, etc.), but this won't solve our primary problem: what should we show users that are already online?

The worst scenario ever would be showing them nothing (for example by shutting down whole application server). Users probably will think, that something bad happened. Much better idea is to show users a maintenance page with some sort of information like "Temporary down for maintenance". It would be even better, it such a page would automatically show when needed.

To do so, we can use Apache Mod Rewrite module and a static 503.html page.

Mod Rewrite for Maintenance mode detection

How to determine if we are in maintenance mode? Let's check if maintenance.txt file exists in tmp/ dir of our app:

RewriteCond %{DOCUMENT_ROOT}/../tmp/maintenance.txt !-f

When it exists, we need to redirect user to our 503.html static page:

RewriteRule ^(.*)$ /503.html [NC,R,L]

Of course the whole .htaccess should include also enabling RewriteEngine, ignoring redirects of CSS files and redirecting from 503.html to root, when the maintenance is off:

RewriteEngine On
# Set error 503 static page
ErrorDocument 503 /503.html

# Don't redirect when someone requests assets used in 503.html
RewriteCond %{REQUEST_URI} !^/assets/layouts/portal/favicon.ico$
RewriteCond %{REQUEST_URI} !^/assets/libraries/bootstrap/bootstrap.min.css$
RewriteCond %{REQUEST_URI} !^/assets/layouts/portal/application.css$
RewriteCond %{REQUEST_URI} !^/503.html$
RewriteCond %{DOCUMENT_ROOT}/../tmp/maintenance.txt -f
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
# Set 503 status for all requests
RewriteRule ^(.*)$ /503.html [NC,R=503,L]

# When it is not maintenance mode redirect to root_path from 503.html
RewriteCond %{DOCUMENT_ROOT}/../tmp/maintenance.txt !-f
RewriteCond %{REQUEST_URI} ^/503.html
RewriteRule ^503.html http://www.project.domain/ [R=302,L]

Of course, you need to remember to create your own 503.html file, put it in public/ dir of your project and customize all the htaccess rules based on your needs.

Capistrano hookup

To automate enabling and disabling my projects, I use a set of simple Capistrano tasks, enclosed in an Apache namespace:

namespace :apache do

  desc 'Restarts the current Passenger project'
  task :restart do
    run "touch #{current_path}/tmp/restart.txt"
  end

  desc 'Sets project server in dev mode - so the 503 page is served'
  task :lock do
    run "touch #{current_path}/tmp/maintenance.txt"
  end

  desc 'Sets project to a standard mode'
  task :unlock do
    run "rm -f #{current_path}/tmp/maintenance.txt"
  end

end

Usage example:

before 'deploy:update' do
  apache.lock
end

after 'deploy:update' do
  apache.restart
  apache.unlock
end

That's all. Good luck and as few maintenance downtime as possible! P.S. With a bit of modifications, this code might be used also for PHP/Python Passenger based projects.

Copyright © 2024 Closer to Code

Theme by Anders NorenUp ↑