配置 nginx 反向代理 Jenkins 开启 SSL
本文主要介绍如何使用 Let’s Encrypt 申请 SSL,并配置 nginx 反向代理 jenkins。开始之前需要你已经有一个能运行 Jenkins 服务。
1: 安装nginx
参考这里nginx安装。
2.安装 Certbot 工具
安装 Certbot 工具来申请 Let’s Encrypt 的 SSL 证书。下载并安装 certbot-auto
命令行工具:
1 |
curl -sL https://dl.eff.org/certbot-auto | sudo tee /usr/local/bin/certbot-auto |
增加可执行权限:
1 |
sudo chmod +x /usr/local/bin/certbot-auto |
检测是否生效:
1 |
certbot-auto --version |
返回版本号表示 certbot 命令行工具安装成功:
1 2 |
[root@www ~]# certbot-auto --version certbot 1.4.0 |
对于最小化安装的Linx,会提示安装 yum 依赖包,则输入“y”,安装需要的依赖包。
1 2 3 4 |
Creating virtual environment... Installing Python packages... Installation succeeded. certbot 1.4.0 |
出现如上提示表示安装成功,可以再次执行 certbot-auto --version 。
3 申请 Let’s Encrypt SSL 证书
需要准备给 Jenkins 准备一个域名,例如 jenkins.example.com 。
打开80、443端口
1 2 3 4 5 6 7 |
# CentOS 7 $ sudo firewall-cmd --add-service={http,https} --permanent $ sudo firewall-cmd --reload # Ubuntu / Debian $ sudo ufw allow proto tcp from any to any port 80,443 $ sudo ufw status |
申请 Let’s Encrypt 证书:
设置环境变量
1 2 3 4 |
export DOMAIN="jenkins.example.com" export ALERTS_EMAIL="webmaster@example.com" sudo systemctl stop nginx sudo /usr/local/bin/certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $ALERTS_EMAIL --keep-until-expiring |
输出例子:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for jenkins.example.com Waiting for verification… Cleaning up challenges IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/jenkins.example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/jenkins.example.com/privkey.pem Your cert will expire on 2019-07-08. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew all of your certificates, run "certbot-auto renew" Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le |
4: 配置 Nginx
增加 Jenkins 的配置 /usr/local/nginx/conf/vhost/jenkins.conf ,内容如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
################################################ # Jenkins Proxy configuration with SSL ################################################# upstream jenkins { server 127.0.0.1:8080 fail_timeout=0; } server { listen 80; server_name jenkins.example.com; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name jenkins.example.com; ssl_certificate /etc/letsencrypt/live/jenkins.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/jenkins.example.com/privkey.pem; location / { proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect http:// https://; proxy_pass http://jenkins; # Required for new HTTP-based CLI proxy_http_version 1.1; proxy_request_buffering off; proxy_buffering off; # Required for HTTP-based CLI to work over SSL # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651 add_header 'X-SSH-Endpoint' 'jenkins.example.com:50022' always; } } |
检查语法
1 2 3 |
$ sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful |
重新加载配置
1 |
$ sudo nginx --reload |
5 访问 Jenkins Web Interface
可以通过 https://jenkins.example.com 访问 Jenkins Web Interface