How to Setup Jenkins with SSL with Nginx Reverse Proxy on Ubuntu 18.04. By default Jenkins listens on port 8080 with it’s in-built web server. But it is necessary to secure Jenkins with SSL for protecting the sensitive data.
In this tutorial you are going to learn how to setup Nginx as a reverse proxy to Jenkins on Ubuntu 18.04 on Google Cloud.
This setup is tested on Google Cloud and it will pretty run the same on any Linux distributions.
Prerequisites
- A running Compute Engine, see the Setting up Compute Engine Instance with Ubuntu 18.04
- Initial Ubuntu Server Set up.
- Jenkins installed with the steps listed on How to install Jenkins on Ubuntu 18.04
- DNS setup with the steps listed in Setting up Google Cloud DNS for your domain
Install Nginx
Install Nginx with the following command.
sudo apt install nginx
This command will install Nginx on your VM instance.
Setup Firewall
Once Nginx is installed you can configure firewall, Nginx registers itself with ufw. So, you can allow the necessary ports and enable ufw.
sudo ufw allow OpenSSH sudo ufw allow 'Nginx Full'
Make sure you have added rules for SSH port 22, if you haven’t done this you cannot access the SSH. Once you have verified you can enable UFW.
sudo ufw enable
Configure Nginx for Jenkins
Now it’s time to configure Nginx as a reverse proxy for Jenkins on a subdomain.
Remove the default Nginx configuration.
sudo rm -rf /etc/nginx/sites-available/default sudo rm -rf /etc/nginx/sites-enabled/default
Create a new configuration for Jenkins
sudo nano /etc/nginx/sites-available/jenkins.yourdomainname.com
Configuration for Jenkins on Subdomain
server {
listen [::]:80;
listen 80;
server_name jenkins.yourdomainname.com;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1:8080 https://jenkins.yourdomainname.com;
proxy_http_version 1.1;
proxy_request_buffering off;
add_header 'X-SSH-Endpoint' 'jenkins.yourdomainname.com:50022' always;
}
}
Paste this new configuration setting and hit Ctrl+X followed by Y to save the file.
Configuration for Jenkins on Sub-directory
Paste this new configuration setting and hit Ctrl+X followed by Y to save the file.
server {
listen [::]:80;
listen 80;
server_name yourdomainname.com;
location ^~ /jenkins/ {
proxy_pass http://127.0.0.1:8080/jenkins/;
sendfile off;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_temp_file_write_size 64k;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
}
}
Hit Ctrl + X followed by Y and Enter to save and exit the file.
Enable the configuration.
sudo ln -s /etc/nginx/sites-available/jenkins.yourdomainname.conf /etc/nginx/sites-enabled/jenkins.yourdomainname.conf
Configure Jenkins for Nginx
In order to Jenkins work with Nignx you need to make Jenkins to listen on localhost
sudo nano /etc/default/jenkins
Find the JENKINS_ARGS line and add --httpListenAddress=127.0.0.1 to the existing arguments.
So, the line will look similar to the one below.
JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1"
For sub-directory configuration you need to add additional argument with the directory name with --prefix
JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1 --prefix=/jenkins"
Save and exit the file. Finally restart Jenkins.
sudo systemctl restart jenkins
Check the configuration and restart Nginx.
sudo nginx -t sudo service nginx restart
Now Nginx is setup as a reverse proxy for Jenkins.
Install Free Let’s Encrypt SSL Certificate
HTTPS
HTTPS is a protocol for secure communication between a server (instance) and a client (web browser). Due to the introduction of Let’s Encrypt, which provides free SSL certificates, HTTPS are adopted by everyone and also provides trust to your audiences.
sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-nginx
Now we have installed Certbot by Let’s Encrypt for Ubuntu 18.04, run this command to receive your certificates.
sudo certbot --nginx certonly
Enter your email and agree to the terms and conditions, then you will receive the list of domains you need to generate SSL certificate.
To select all domains simply hit Enter
The Certbot client will automatically generate the new certificate for your domain. Now we need to update the Nginx config.
Configure SSL
Once the SSL is installed, you can configure it in your Nginx file.
sudo nano /etc/nginx/sites-available/yourdomainname.com
server {
listen [::]:80;
listen 80;
server_name yourdomainname.com www.yourdomainname.com;
return 301 https://www.yourdomainname.com$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name www.yourdomainname.com;
ssl_certificate /etc/letsencrypt/live/yourdomainname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomainname.com/privkey.pem;
include /etc/nginx/proxy_params;
proxy_pass http://localhost:8080;
proxy_read_timeout 90s;
proxy_redirect http://localhost:8080 https://yourdomainname.com;
return 301 https://www.yourdomainname.com$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name yourdomainname.com;
include /etc/nginx/proxy_params;
proxy_pass http://localhost:8080;
proxy_read_timeout 90s;
proxy_redirect http://localhost:8080 https://yourdomainname.com;
}
Hit CTRL+X followed by Y to save the changes.
Check your configuration and restart Nginx for the changes to take effect.
sudo nginx -t sudo service nginx restart
Renewing SSL Certificate
Certificates provided by Let’s Encrypt are valid for 90 days only, so you need to renew them often. Now you set up a cronjob to check for the certificate which is due to expire in next 30 days and renew it automatically.
sudo crontab -e
Add this line at the end of the file
0 0,12 * * * certbot renew >/dev/null 2>&1
Hit CTRL+X followed by Y to save the changes.
This cronjob will attempt to check for renewing the certificate twice daily.
That’s all now you can visit your domain name in your web browser. you can see your Jenkins login page with HTTPS.
Conclusion
In this tutorial you have installed Nginx, configured UFW, setup new reverse proxy configuration for Jenkins and installed SSL and configured Jenkins for Nginx.
