How to Setup Jenkins with SSL with Nginx Reverse Proxy on Ubuntu 18.04

How to Setup Jenkins with SSL with Nginx Reverse Proxy on Ubuntu 18.04. By default Jenkins listens on port 8080 with it’s in-built web server. But it is necessary to secure Jenkins with SSL for protecting the sensitive data.

In this tutorial you are going to learn how to setup Nginx as a reverse proxy to Jenkins on Ubuntu 18.04 on Google Cloud.

This setup is tested on Google Cloud and it will run the same on any Linux distributions.

Prerequisites

• A running Compute Engine, see the Setting up Compute Engine Instance with Ubuntu 18.04
• Initial Ubuntu Server Set up.
• Jenkins installed with the steps listed on How to install Jenkins on Ubuntu 18.04
• DNS setup with the steps listed in Setting up Google Cloud DNS for your domain

Install Nginx

Install Nginx with the following command.

sudo apt install nginx

This command will install Nginx on your VM instance.

Setup Firewall

Once Nginx is installed you can configure firewall, Nginx registers itself with ufw. So, you can allow the necessary ports and enable ufw.

sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'

Make sure you have added rules for SSH port 22, if you haven’t done this you cannot access the SSH. Once you have verified you can enable UFW.

sudo ufw enable

Configure Nginx for Jenkins

Now it’s time to configure Nginx as a reverse proxy for Jenkins on a subdomain.

Remove the default Nginx configuration.

sudo rm -rf /etc/nginx/sites-available/default
sudo rm -rf /etc/nginx/sites-enabled/default

Create a new configuration for Jenkins

sudo nano /etc/nginx/sites-available/jenkins.yourdomainname.com

Configuration for Jenkins on Subdomain

 server {
    listen [::]:80;
    listen 80;

    server_name jenkins.yourdomainname.com;

    location / {
        proxy_set_header        Host $host:$server_port;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;

        proxy_pass          http://127.0.0.1:8080;
        proxy_read_timeout  90;

        proxy_redirect      http://127.0.0.1:8080 https://jenkins.yourdomainname.com;

        proxy_http_version 1.1;
        proxy_request_buffering off;
        add_header 'X-SSH-Endpoint' 'jenkins.yourdomainname.com:50022' always;
    } 
}

Paste this new configuration setting and hit Ctrl+X followed by Y to save the file.

Configuration for Jenkins on Sub-directory

Paste this new configuration setting and hit Ctrl+X followed by Y to save the file.

 server {
    listen [::]:80;
    listen 80;

    server_name yourdomainname.com;

    location ^~ /jenkins/ {
        proxy_pass http://127.0.0.1:8080/jenkins/;
        sendfile off;

        proxy_set_header   Host             $host:$server_port;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_max_temp_file_size 0;

        client_max_body_size       10m;
        client_body_buffer_size    128k;

        proxy_connect_timeout      90;
        proxy_send_timeout         90;
        proxy_read_timeout         90;
        proxy_temp_file_write_size 64k;

        proxy_http_version 1.1;
        proxy_request_buffering off;
        proxy_buffering off;
    } 
}

Hit Ctrl + X followed by Y and Enter to save and exit the file.

Enable the configuration.

sudo ln -s /etc/nginx/sites-available/jenkins.yourdomainname.conf /etc/nginx/sites-enabled/jenkins.yourdomainname.conf

Configure Jenkins for Nginx

In order to Jenkins work with Nignx you need to make Jenkins to listen on localhost

sudo nano /etc/default/jenkins

Find the JENKINS_ARGS line and add --httpListenAddress=127.0.0.1 to the existing arguments.

So, the line will look similar to the one below.

JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1"

For sub-directory configuration you need to add additional argument with the directory name with --prefix

JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1 --prefix=/jenkins"

Save and exit the file. Finally restart Jenkins.

sudo systemctl restart jenkins

Check the configuration and restart Nginx.

sudo nginx -t
sudo service nginx restart

Now Nginx is setup as a reverse proxy for Jenkins.

Install Free Let’s Encrypt SSL Certificate

HTTPS
HTTPS is a protocol for secure communication between a server (instance) and a client (web browser). Due to the introduction of Let’s Encrypt, which provides free SSL certificates, HTTPS are adopted by everyone and also provides trust to your audiences.

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

Now we have installed Certbot by Let’s Encrypt for Ubuntu 18.04, run this command to receive your certificates.

sudo certbot --nginx certonly

Enter your email and agree to the terms and conditions, then you will receive the list of domains you need to generate SSL certificate.

To select all domains simply hit Enter

The Certbot client will automatically generate the new certificate for your domain. Now we need to update the Nginx config.

Configure SSL

Once the SSL is installed, you can configure it in your Nginx file.

sudo nano /etc/nginx/sites-available/yourdomainname.com

server {
     listen [::]:80;
     listen 80;

     server_name jenkins.yourdomainname.com;

     return 301 https://jenkins.yourdomainname.com$request_uri;
 }

 server {
     listen [::]:443 ssl;
     listen 443 ssl;

     server_name jenkins.yourdomainname.com;

     ssl_certificate /etc/letsencrypt/live/jenkins.yourdomainname.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/jenkins.yourdomainname.com/privkey.pem;

     location / {
         proxy_set_header        Host $host:$server_port;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header        X-Forwarded-Proto $scheme;
         proxy_pass          http://127.0.0.1:8080;
         proxy_read_timeout  90;
         proxy_redirect      http://127.0.0.1:8080 https://jenkins.yourdomainname.com;

         proxy_http_version 1.1;
         proxy_request_buffering off;
         add_header 'X-SSH-Endpoint' 'jenkins.yourdomainname.com:50022' always;
     } 
 }

Hit CTRL+X followed by Y to save the changes.

Check your configuration and restart Nginx for the changes to take effect.

sudo nginx -t
sudo service nginx restart

Renewing SSL Certificate

Certificates provided by Let’s Encrypt are valid for 90 days only, so you need to renew them often. Now you set up a cronjob to check for the certificate which is due to expire in next 30 days and renew it automatically.

sudo crontab -e

Add this line at the end of the file

0 0,12 * * * certbot renew >/dev/null 2>&1

Hit CTRL+X followed by Y to save the changes.

This cronjob will attempt to check for renewing the certificate twice daily.

That’s all now you can visit your domain name in your web browser. you can see your Jenkins login page with HTTPS.

Conclusion

In this tutorial you have installed Nginx, configured UFW, setup new reverse proxy configuration for Jenkins and installed SSL and configured Jenkins for Nginx.