Configure Jenkins behind Nginx and Secure With Let’s Encrypt SSL

Posted on 103 views

Question: How can I put Jenkins behind Nginx reverse proxy and Let’s Encrypt SSL certificate?. Jenkins is a powerful open source automation server built for automating repetitive tasks and to fasten continuous integration and delivery of Applications.

This short tutorial will discuss how you can configure Nginx to work as reverse Proxy for Jenkins server. The assumption is that you have a working Jenkins server, but our guides can be of help setting up Jenkins Server.

How to install Jenkins on CentOS 7CentOS 8UbuntuArch Linux.

Step 1: Install Nginx web server

You need to start by installing Nginx Web server on your Linux Distribution. Here are the commands for installing Nginx on common Linux distributions.

# CentOS / RHEL
sudo yum -y install nginx vim

# Fedora
sudo dnf -y install nginx vim

# Ubuntu / Debian
sudo apt update
sudo apt install nginx vim

Step 2: Install Cerbot Certificate generation tool

Next is the installation of Certbot tool that is used to obtain Let’s Encrypt SSL certificate. Download and install certbot-auto command line tool.

# Ubuntu / Debian
sudo apt update
sudo apt install certbot
sudo apt install python3-certbot-nginx
# Python 2
sudo apt install python2-certbot-nginx

# Fedora
sudo dnf install certbot python2-certbot-nginx

# CentOS 8 / Rocky Linux 8
sudo dnf -y install epel-release
sudo yum -y install certbot python3-certbot-nginx
 
# CentOS 7
sudo yum -y install epel-release
sudo yum -y install certbot python2-certbot-nginx

Check if working:

$ certbot --version
certbot 0.40.0

Step 3: Configure Nginx for Jenkins Server

After installing Nginx web server we can start creating VirtualHost configuration file:

sudo vim /etc/nginx/conf.d/jenkins.conf

Paste and modify below configurations in the file created:

################################################
# Jenkins Nginx Proxy configuration
#################################################
upstream jenkins 
  server 127.0.0.1:8080 fail_timeout=0;


server 
  listen 80;
  server_name jenkins.example.com;

  location / 
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_pass              http://jenkins;
    # Required for new HTTP-based CLI
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_buffering off; # Required for HTTP-based CLI to work over SSL
  

Replace:

  • jenkins.example.com with your Jenkins server domain name as configured in DNS server

Validate your Nginx configuration:

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Start nginx service if no syntax errors:

sudo systemctl enable --now nginx
sudo systemctl restart nginx

Step 4: Secure Jenkins Server With Let’s Encrypt SSL

You need a working DNS for the domain or subdomain used by the Jenkins server. In my demonstration, I’m using jenkins.computingforgeeks.com.

You also need to open port 80 to be able to get the certificate, but only if you have an active firewall.

# CentOS / Rocky Linux / RHEL / Fedora
sudo firewall-cmd --add-service=http,https --permanent
sudo firewall-cmd --reload


# Ubuntu / Debian
sudo ufw allow proto tcp from any to any port 80,443
sudo ufw status

Once that is done, get Let’s Encrypt Certificate. But first save required details:

  • Domain name
  • Email address that receive certificate expiry message
export DOMAIN="jenkins.example.com"
export ALERTS_EMAIL="[email protected]"

Then proceed to request Let’s Encrypt SSL certificate for your Jenkins Server:

sudo certbot --nginx --redirect -d $DOMAIN --preferred-challenges http --agree-tos -n -m $ALERTS_EMAIL --keep-until-expiring

Sample output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jenkins.example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/jenkins.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/jenkins.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://jenkins.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=jenkins.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/jenkins.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/jenkins.example.com/privkey.pem
   Your cert will expire on 2021-10-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

This will automatically modify nginx configuration to include SSL settings and redirection of http traffic to https.

Automatically Renew Let’s Encrypt Certificates

Let’s Encrypt certificates expire after 90 days. Let’s add a cron job for automatic renewals.

sudo crontab -e

Add certbot command to run daily:

0 12 * * * /usr/bin/certbot renew --quiet

All installed certificates will be automatically renewed and reloaded.

Step 5: Access Jenkins Web Interface

Access Jenkins web interface on http://jenkins.example.com.

Jenkins-login-https

The Jenkins Dashboard should show after login.

jenkins-over-https-ssl-1024x442

You have successfully configured Nginx as Reverse proxy to Jenkins server with Let’s Encrypt SSL certificate.

coffee

Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.