Question: How can I put Jenkins behind Nginx reverse proxy and Let’s Encrypt SSL certificate?. Jenkins is a powerful open source automation server built for automating repetitive tasks and to fasten continuous integration and delivery of Applications.
This short tutorial will discuss how you can configure Nginx to work as reverse Proxy for Jenkins server. The assumption is that you have a working Jenkins server, but our guides can be of help setting up Jenkins Server.
How to install Jenkins on CentOS 7, CentOS 8, Ubuntu, Arch Linux.
Step 1: Install Nginx web server
You need to start by installing Nginx Web server on your Linux Distribution. Here are the commands for installing Nginx on common Linux distributions.
# CentOS / RHEL
sudo yum -y install nginx vim
# Fedora
sudo dnf -y install nginx vim
# Ubuntu / Debian
sudo apt update
sudo apt install nginx vim
Step 2: Install Cerbot Certificate generation tool
Next is the installation of Certbot tool that is used to obtain Let’s Encrypt SSL certificate. Download and install certbot-auto command line tool.
# Ubuntu / Debian
sudo apt update
sudo apt install certbot
sudo apt install python3-certbot-nginx
# Python 2
sudo apt install python2-certbot-nginx
# Fedora
sudo dnf install certbot python2-certbot-nginx
# CentOS 8 / Rocky Linux 8
sudo dnf -y install epel-release
sudo yum -y install certbot python3-certbot-nginx
# CentOS 7
sudo yum -y install epel-release
sudo yum -y install certbot python2-certbot-nginx
Check if working:
$ certbot --version
certbot 1.21.0Step 3: Configure Nginx for Jenkins Server
After installing Nginx web server we can start creating VirtualHost configuration file:
sudo vim /etc/nginx/conf.d/jenkins.confPaste and modify below configurations in the file created:
################################################
# Jenkins Nginx Proxy configuration
#################################################
upstream jenkins {
server 127.0.0.1:8080 fail_timeout=0;
}
server {
listen 80;
server_name jenkins.example.com;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://jenkins;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
}
}
Replace:
- jenkins.example.com with your Jenkins server domain name as configured in DNS server
Validate your Nginx configuration:
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successfulStart nginx service if no syntax errors:
sudo systemctl enable --now nginx
sudo systemctl restart nginxStep 4: Secure Jenkins With Let’s Encrypt SSL
You need a working DNS for the domain or subdomain used by the Jenkins server. In my demonstration, I’m using jenkins.geeksforgeeks.org.
You also need to open port 80 to be able to get the certificate, but only if you have an active firewall.
# CentOS / Rocky Linux / RHEL / Fedora
sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reload
# Ubuntu / Debian
sudo ufw allow proto tcp from any to any port 80,443
sudo ufw statusOnce that is done, get Let’s Encrypt Certificate. But first save required details:
- Domain name
- Email address that receive certificate expiry message
export DOMAIN="jenkins.example.com"
export ALERTS_EMAIL="[email protected]"
Then proceed to request Let’s Encrypt SSL certificate for your Jenkins Server:
sudo certbot --nginx --redirect -d $DOMAIN --preferred-challenges http --agree-tos -n -m $ALERTS_EMAIL --keep-until-expiringSample output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jenkins.example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/jenkins.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/jenkins.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://jenkins.example.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=jenkins.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/jenkins.example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/jenkins.example.com/privkey.pem
Your cert will expire on 2021-10-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leThis will automatically modify nginx configuration to include SSL settings and redirection of http traffic to https.
Automatically Renew Let’s Encrypt Certificates
Let’s Encrypt certificates expire after 90 days. Let’s add a cron job for automatic renewals.
sudo crontab -eAdd certbot command to run daily:
0 12 * * * /usr/bin/certbot renew --quietAll installed certificates will be automatically renewed and reloaded.
Step 5: Access Jenkins Web Interface
Access Jenkins web interface on http://jenkins.example.com.
The Jenkins Dashboard should show after login.
You have successfully configured Nginx as Reverse proxy to Jenkins server with Let’s Encrypt SSL certificate.
Other Jenkins related Articles:
