How to use Jenkins with SSL / https

https ssl jenkins

I have a Fedora server running Jenkins which I install via yum. Everything is okay, I can access it with http://ci.mydomain.com.

But now, I want to access it with https://ci.mydomain.com so the login with username and password is encrypted.

How can I do this?

The following is my /etc/sysconfig/jenkins file. Starting Jenkins works, but I can not access Jenkins with the webbrowser with https://ci.mydomain.com or http://ci.mydomain.com:443, ...

## Path:        Development/Jenkins
## Description: Configuration for the Jenkins continuous build server
## Type:        string
## Default:     "/var/lib/jenkins"
## ServiceRestart: jenkins
#
# Directory where Jenkins store its configuration and working
# files (checkouts, build reports, artifacts, ...).
#
JENKINS_HOME="/var/lib/jenkins"

## Type:        string
## Default:     ""
## ServiceRestart: jenkins
#
# Java executable to run Jenkins
# When left empty, we'll try to find the suitable Java.
#
JENKINS_JAVA_CMD=""

## Type:        string
## Default:     "jenkins"
## ServiceRestart: jenkins
#
# Unix user account that runs the Jenkins daemon
# Be careful when you change this, as you need to update
# permissions of $JENKINS_HOME and /var/log/jenkins.
#
JENKINS_USER="jenkins"

## Type:        string
## Default:     "-Djava.awt.headless=true"
## ServiceRestart: jenkins
#
# Options to pass to java when running Jenkins.
#
JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true"

## Type:        integer(0:65535)
## Default:     8080
## ServiceRestart: jenkins
#
# Port Jenkins is listening on.
#
JENKINS_PORT="8080"

## Type:        integer(1:9)
## Default:     5
## ServiceRestart: jenkins
#
# Debug level for logs -- the higher the value, the more verbose.
# 5 is INFO.
#
JENKINS_DEBUG_LEVEL="5"

## Type:        yesno
## Default:     no
## ServiceRestart: jenkins
#
# Whether to enable access logging or not.
#
JENKINS_ENABLE_ACCESS_LOG="no"

## Type:        integer
## Default:     100
## ServiceRestart: jenkins
#
# Maximum number of HTTP worker threads.
#
JENKINS_HANDLER_MAX="100"

## Type:        integer
## Default:     20
## ServiceRestart: jenkins
#
# Maximum number of idle HTTP worker threads.
#
JENKINS_HANDLER_IDLE="20"

## Type:        string
## Default:     ""
## ServiceRestart: jenkins
#
# Pass arbitrary arguments to Jenkins.
# Full option list: java -jar jenkins.war --help
#
JENKINS_ARGS="--httpsPort=443 --httpsKeyStore=/root/.keystore --httpsKeyStorePassword=MYPASSWORD"

Solution 1:

This page should help you set it up behind Apache (which would handle HTTPS): https://wiki.eclipse.org/Hudson-ci/Running_Hudson_behind_Apache

Apart from being a "normal" reverse-proxy, you'll need this (as shown on that page):

Header edit Location ^http://www.example.com/hudson/ https://www.example.com/hudson/

Solution 2:

Just in case you're using Nginx and not Apache, you might want to use proxy_redirect http:// https://; to rewrite the Location header as the response comes back from Jenkins.

A complete nginx setup where SSL is terminated with Nginx and proxied internally to Jenkins using 8080 might look like this:

upstream jenkins {
  server 127.0.0.1:8080 fail_timeout=0;
}

server {
  listen 80 default;
  server_name 127.0.0.1 *.mydomain.com;
  rewrite ^ https://$server_name$request_uri? permanent;
}

server {
  listen 443 default ssl;
  server_name 127.0.0.1 *.mydomain.com;

  ssl_certificate           /etc/ssl/certs/my.crt;
  ssl_certificate_key       /etc/ssl/private/my.key;

  ssl_session_timeout  5m;
  ssl_protocols  SSLv3 TLSv1;
  ssl_ciphers HIGH:!ADH:!MD5;
  ssl_prefer_server_ciphers on;

  # auth_basic            "Restricted";
  # auth_basic_user_file  /home/jenkins/htpasswd;

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_redirect http:// https://;

    add_header Pragma "no-cache";

    proxy_pass http://jenkins;
  }
}

Solution 3:

Note that (as of sometime?) Jenkins can generate the key for you, all you need to do is set the --httpsPort=(portnum) parameter in JENKINS_ARGS.

In my case I set JENKINS_PORT="-1" (disable http) and set --httpsPort=8080 which worked well for my own purposes.

Just note that any port below 1000 generally requires root access, so pick a port higher than that...

(Link for more info)

Related

What does "<service_name> dead but subsys locked" mean?
Can you lookup a domains past nameserver & mx record history?
postgres server fails to start, produces no log, how to to troubleshoot?
Failed tls handshake. Does not contain any IP SANs
Postgres error message: FATAL: Ident authentication failed for user "..."
SQL Server (2005/2008): Does full backup truncate the log in full recovery mode
AWS ELB Apache2 503 Service Unavailable: Back-end server is at capacity
Could "jibe with" imply something racist? [closed]
What's the correct use of a comma when thanking someone?
Is there a symbol for the word "as"?
Origin of "I see, said the blind man, as he waved his wooden leg"
Is the last word an adjective or the past participle of a verb in "The student looked at him, perplexed."?