How to Configure Jenkins with SSL Behind Nginx on Ubuntu 20.04

Jenkins is an open-source tool automation solution that enables the continuous delivery of software. It is used to set up the full software delivery pipeline. This allows developers to manage and control software delivery processes throughout the product’s lifecycle, allowing them to build, test, and reliably deploy their software.

Jenkins has an extendable architecture with a dynamic and active community. The programming language used is Java. In most cases, Jenkins operates as a self-contained Java servlet application. Java servlet containers like Apache Tomcat and GlassFish can also be used to run the program.

Organizations can use Jenkins to automate and speed up the software development process. Jenkins combines all development lifecycle stages, including build, document, test, package, stage, deploy, static analysis, and many others.

Plugins assist Jenkins in achieving Continuous Integration. DevOps stages can be integrated thanks to plugins. Installing the utility’s plugins is necessary to incorporate that tool. Git, Maven 2 projects, Amazon EC2, HTML publishers, etc. are a few examples.

Jenkins has some benefits, such as:

  • It is an open-source tool with a strong sense of community.
  • Installing it is simple.
  • For your convenience, it features more than 1000 plugins. You can create a plugin that doesn’t already exist and distribute it to the community.
  • It is completely free.
  • Because it was created using Java, it can run on all the major platforms.

Plugins

An improvement to the Jenkins system is a plugin. They aid in enhancing Jenkins’ capabilities and integrating it with other programs. The Jenkins Web UI or CLI can be used to load plugins obtained from the online Jenkins Plugin repository. The Jenkins community claims that there are currently over 1500 plugins available for various purposes.

Plugins facilitate the integration of additional development tools into the Jenkins environment, expand the functionality of the Jenkins Web UI, aid in managing Jenkins, and improve build and source code management. The provision of integration points for CI/CD sources and destinations is one of the more popular uses of plugins. These consist of virtual machine hypervisors like VMware vSphere, container runtime systems like Git and Atlassian BitBucket, private cloud systems like OpenStack, and software version control systems (SVCs) like Google Cloud Platform and Amazon AWS. Additionally, some plugins help with FTP, CIFS, and SSH communication with operating systems.

Java is used to create plugins. In order to describe the plugin’s instantiation, extension points, purpose, and UI representation in the Jenkins Web UI, each plugin has its own set of Java annotations and design patterns. Jenkins Maven deployment is also used for plugin development.

Security

Jenkins security is focused on protecting the user and the server. The same methods are used to safeguard other servers to achieve server security. The server, whether a bare metal server or a virtual machine, is configured to allow the fewest possible processes to connect with it. Common server operating systems and networking security characteristics enable this.

In addition, employing industry standards like multifactor authentication, access to the server via the Jenkins UI is restricted to the fewest possible people. The user security features of the HTTP server being used for the UI can be used to do this.

Security is supported by Jenkins for its internal user database as well. The Jenkins Web UI can be used to access these capabilities. The Security Realm and the Authorization Realm are the two security realms that Jenkins supports. An operator can choose who has access to Jenkins through the Security Realm, and the Authorization Realm controls what they can do.

Both benefits and drawbacks

Jenkins has advantages and disadvantages, much like most other pieces of software. Jenkins has the benefit of being extensible through plugins. Jenkins can adapt to changes in IT settings because of this. Jenkins is more adaptable because of plugins and its robust scripting and declarative languages, which enable highly customized pipelines. Jenkins works effectively in most contexts since it is quite impartial, including complicated hybrid and multi-cloud systems.

Jenkins has existed for much longer than other alternatives in this field. This and its adaptability have caused it to be widely used. Because of its large knowledge base, thorough documentation, and a plethora of community resources, Jenkins is well known. These tools make installing, managing, and troubleshooting Jenkins installations simpler.

Finally, Java is used to build both Jenkins and its plugins. Java has a large ecosystem and is a tried-and-true corporate development language. Jenkins is now built on a strong foundation that can be expanded using widely used design patterns and frameworks.

Jenkins is not flawless. Jenkins for production can be challenging to implement while being straightforward to set up (with clear instructions). Jenkinsfiles requires coding in its declarative or scripting language to create production pipelines. Particularly complex pipelines can be challenging to code, debug, and maintain.

Single-server architecture is also a feature of the open-source system. Because of this, installation is simple, but resource usage is limited to one computer, virtual machine, or container. Jenkins has performance problems because it does not support federation across servers. Lack of federation may also increase the number of standalone Jenkins servers, which can be challenging to manage across a sizable business.

Jenkins Prerequisites:

  • An Ubuntu Server 20.04
  • A user with access to sudo
  • At least 1 GB of RAM with Oracle JDK 11 or higher installed.

Step 1: Install Jenkins on Ubuntu

You must first add the repository key to the system in order to install the most recent version of Jenkins.

wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo apt-key add -

download jenkins repo key

The repository address should then be added to the sources list.

sudo sh -c 'echo deb http://pkg.jenkins.io/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list'

You can now install Jenkins and update the packages to use the newly added new repository.

sudo apt update
sudo apt install jenkins

install jenkins

The following command can launch Jenkins once the installation is complete.

sudo service jenkins start

You can use the following command to check the status.

sudo service jenkins status

Install Nginx

Using the following command, install Nginx.

sudo apt install nginx

install nginx

Nginx will be installed on your VM instance once you run this command.

Setup Firewall

You can set the firewall after Nginx has been installed because Nginx registers itself with “ufw.” You are, therefore, able to enable “ufw” and permit the required ports.

sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'

If you have not implemented rules for SSH port 22, you will not be able to access the SSH server. Make sure you do this. After you have confirmed your identity, you can then enable UFW.

sudo ufw enable

Configure Nginx for Jenkins

Next, Nginx is set up as a reverse proxy for Jenkins on a subdomain.
Start by establishing a brand-new configuration for Jenkins.

sudo nano /etc/nginx/sites-available/jenkins.yourdomainname.com

Configuration for Jenkins on Subdomain

server {
listen [::]:80;
listen 80;
server_name jenkins.yourdomainname.com;
location / {
proxy_set_header        Host $host:$server_port;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto $scheme;
proxy_pass          http://127.0.0.1:8080;
proxy_read_timeout  90;
proxy_redirect      http://127.0.0.1:8080 https://jenkins.yourdomainname.com;
proxy_http_version 1.1;
proxy_request_buffering off;
add_header 'X-SSH-Endpoint' 'jenkins.yourdomainname.com:50022' always;
}
}

Paste this new configuration value, then save the file by pressing Ctrl+X, followed by Y.

Configuration for Jenkins on Sub-directory

Copy this new configuration value and save the file by pressing Ctrl+X followed by Y.

server {
listen [::]:80;
listen 80;
server_name yourdomainname.com;
location ^~ /jenkins/ {
proxy_pass http://127.0.0.1:8080/jenkins/;
sendfile off;
proxy_set_header   Host             $host:$server_port;
proxy_set_header   X-Real-IP        $remote_addr;
proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size       10m;
client_body_buffer_size    128k;
proxy_connect_timeout      90;
proxy_send_timeout         90;
proxy_read_timeout         90;
proxy_temp_file_write_size 64k;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
}
}

To save and close the file, use Ctrl+X, Y, and Enter.
Make the configuration active.

sudo ln -s /etc/nginx/sites-available/jenkins.yourdomainname.conf /etc/nginx/sites-enabled/jenkins.yourdomainname.conf

Configure Jenkins for Nginx

You must configure Jenkins to listen on Nginx in order for it to function.

sudo nano /etc/default/jenkins

Add “—httpListenAddress=127.0.0.1” to the list of arguments on the “JENKINS ARGS” line.

As a result, the line will resemble the one below.

JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1"

To configure subdirectories, you must include an additional argument with the directory name and the “—prefix” flag.

JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1 --prefix=/jenkins"

File exit and saving. restart Jenkins at last.

sudo systemctl restart jenkins
sudo systemctl restart jenkins

After checking the settings, restart Nginx.

sudo nginx -t
sudo service nginx restart

Jenkins is now configured to use Nginx as a reverse proxy.

Install Free Let’s Encrypt SSL Certificate

HTTPS

The Hypertext Transfer Protocol Secure (HTTPS) protocol encrypts data sent between a user’s web browser and a website during transmission. The secure variant of HTTP is HTTPS.
The protocol shields users from man-in-the-middle (MitM) attacks and eavesdroppers. Additionally, it defends trustworthy domains against DNS spoofing assaults.

Websites that handle or transfer sensitive data, including that handled by online banking services, email providers, online retailers, healthcare providers, and others, are significantly more secure when using HTTPS. Defined, HTTPS should be used on any website that requests login information or conducts financial transactions to protect users, transactions, and data.

A malicious party can easily spoof, alter, or monitor an HTTP connection. By encrypting all communications between a web browser and a web server, HTTPS offers a defense against these vulnerabilities. Because no one can interfere with these transactions, HTTPS protects user privacy and prevents important information from getting into the wrong hands.

There is no additional HTTPS protocol over HTTP. Instead, it is a variation that encrypts connections using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) over HTTP. An exchange of TLS/SSL certificates, known as a handshake, occurs when a web server and web browser communicate over HTTPS to authenticate the provider’s identity and safeguard the user and their data.

Instead of http://, an HTTPS URL starts with https://. Most web browsers display a closed padlock icon to the left of the URL in the address bar to indicate that a website is secure. Users of certain browsers can utilize the padlock icon to see if the digital certificate for an HTTPS-enabled website contains the name or business name of the website owner.

simple URL structure, https

HTTPS is a variation of HTTP that encrypts conversations over HTTP using TLS/SSL.

How does HTTPS differ from HTTP?

In HTTP, any malicious party snooping on the network may intercept or sniff the data shared via a website. This is particularly dangerous if a user visits the website using an unprotected network, such as free Wi-Fi. The plaintext is used for all HTTP communications, making them highly susceptible to on-path MitM attacks.
Thanks to HTTPS, all connections between a user’s web browser and a website are encrypted. Even if thieves manage to intercept the communication, they only see jumbled data. Only the matching decryption tool, or private key, may be used to decrypt this data and turn it into a readable format.

Security in HTTPS

The TLS encryption technology, which secures communications between two parties, is the foundation of HTTPS. TLS uses asymmetric public key infrastructure to encrypt data. This indicates that it uses two unique keys:
The secret key. This is stored on the web server and is managed by the website owner. It unlocks data that has been encrypted using the public key.

The open key. Users who want to securely communicate with the server through their web browser can use this. Only the private key can decrypt data that has been encrypted using the public key.

How to use HTTPS

To distribute a shared symmetric key for data encryption and authentication, HTTPS uses SSL/TLS and public key encryption, as was mentioned in the previous section. While HTTP uses port 80 by default, it uses port 443. Port 443 is required for all secure transfers but can also be used for HTTP connections.

The SSL/TLS handshake between the browser and the server determines the connection parameters before an HTTPS data transfer begins. To establish a secure connection, a handshake is also crucial.

Install free SSL

sudo apt-get install python3-certbot-nginx
Run this command after installing Certbot by Let’s Encrypt for Ubuntu 20.04 to obtain your certificates.

sudo certbot --nginx certonly

After entering your “email” and checking the box next to the terms and restrictions, you will receive the list of domains you need to generate an SSL certificate for.

Enter to make all domains selected.

The new certificate for your domain will be created automatically by the Certbot client. We must now update the Nginx configuration.

Configure SSL

You may set up the SSL in your Nginx file after it has been installed.

sudo nano /etc/nginx/sites-available/yourdomainname.com
server {
listen [::]:80;
listen 80;
server_name jenkins.yourdomainname.com;
return 301 https://jenkins.yourdomainname.com$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
server_name jenkins.yourdomainname.com;
ssl_certificate /etc/letsencrypt/live/jenkins.yourdomainname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jenkins.yourdomainname.com/privkey.pem;
location / {
proxy_set_header        Host $host:$server_port;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto $scheme;
proxy_pass          http://127.0.0.1:8080;
proxy_read_timeout  90;
proxy_redirect      http://127.0.0.1:8080 https://jenkins.yourdomainname.com;
proxy_http_version 1.1;
proxy_request_buffering off;
add_header 'X-SSH-Endpoint' 'jenkins.yourdomainname.com:50022' always;
}
}

To save the changes, press CTRL+X then Y.
If necessary, check your configuration and restart Nginx to apply the changes.

sudo nginx -t
sudo service nginx restart

Renewing SSL Certificate

It would help if you frequently renewed Let’s Encrypt certificates because they are only good for 90 days. Now you’ve set up a cronjob to automatically renew any certificates that expire in the next 30 days.

sudo crontab -e

At the file’s conclusion, include this line.

certbot renew >/dev/null 2>&1 0 0,12 * * *

To save the changes, press CTRL+X then Y.

This cronjob will make two daily checks to see if the certificate needs to be renewed.
After completing this step, you can visit your domain name in a web browser. Your Jenkins setup page is accessible through HTTPS.

Set Up Jenkins

You can now access the domain name where Jenkins was installed.

The Open screen will appear, where you must enter the password to unlock Jenkins.

To obtain the password, run the next command.

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

To unlock and begin the setup, copy the password and paste it into the Administrator password area.

To begin the installation immediately, select the option to Install suggested plugins.

Create an admin user to access the dashboard once the installation is complete.

The Instance Configuration will appear at the end; you can enter your IP address or domain name here.

After saving, click Finish.

Click Start using Jenkins to access the main Jenkins dashboard after everything is finished.

Conclusion

You have completed this lesson knowing how to set up Jenkins, set up Nginx as a reverse proxy, and secure it with the free Let’s Encrypt SSL.

 

Leave a Reply

Your email address will not be published. Required fields are marked *