转载

配置 nginx 反向代理 Jenkins 开启 SSL

本文主要介绍如何使用 Let’s Encrypt 申请 SSL,并配置 nginx 反向代理 jenkins。开始之前需要你已经有一个能运行 Jenkins 服务。

1: 安装nginx

参考这里nginx安装。

2.安装 Certbot 工具

安装 Certbot 工具来申请 Let’s Encrypt 的 SSL 证书。下载并安装 certbot-auto 命令行工具:

curl -sL https://dl.eff.org/certbot-auto | sudo tee /usr/local/bin/certbot-auto

增加可执行权限:

sudo chmod +x /usr/local/bin/certbot-auto

检测是否生效:

certbot-auto --version

返回版本号表示 certbot 命令行工具安装成功:

[root@www ~]# certbot-auto --version
certbot 1.4.0

对于最小化安装的Linx,会提示安装 yum 依赖包,则输入“y”,安装需要的依赖包。

Creating virtual environment...
Installing Python packages...
Installation succeeded.
certbot 1.4.0

出现如上提示表示安装成功,可以再次执行 certbot - auto -- version

3 申请 Let’s Encrypt SSL 证书

需要准备给 Jenkins 准备一个域名,例如 jenkins.example.com 。

打开80、443端口

# CentOS 7
$ sudo firewall-cmd --add-service={http,https} --permanent
$ sudo firewall-cmd --reload
 
# Ubuntu / Debian
$ sudo ufw allow proto tcp from any to any port 80,443
$ sudo ufw status

申请 Let’s Encrypt 证书:

设置环境变量

export DOMAIN="jenkins.example.com"
export ALERTS_EMAIL="webmaster@example.com"
sudo systemctl stop nginx
sudo /usr/local/bin/certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $ALERTS_EMAIL --keep-until-expiring

输出例子:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator standalone, Installer None
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for jenkins.example.com
 Waiting for verification…
 Cleaning up challenges
 IMPORTANT NOTES:
 Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/jenkins.example.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/jenkins.example.com/privkey.pem
 Your cert will expire on 2019-07-08. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot-auto
 again. To non-interactively renew all of your certificates, run
 "certbot-auto renew"
 Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

4: 配置 Nginx

增加 Jenkins 的配置 / usr / local / nginx / conf / vhost / jenkins . conf ,内容如下:

################################################
# Jenkins Proxy configuration with SSL
#################################################
upstream jenkins {
  server 127.0.0.1:8080 fail_timeout=0;
}
 
server {
  listen 80;
  server_name jenkins.example.com;
  return 301 https://$host$request_uri;
}
 
server {
  listen 443 ssl;
  server_name jenkins.example.com;
 
  ssl_certificate /etc/letsencrypt/live/jenkins.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/jenkins.example.com/privkey.pem;
 
  location / {
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect http:// https://;
    proxy_pass              http://jenkins;
    # Required for new HTTP-based CLI
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_buffering off; # Required for HTTP-based CLI to work over SSL
    # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
    add_header 'X-SSH-Endpoint' 'jenkins.example.com:50022' always;
  }
}

检查语法

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

重新加载配置

$ sudo nginx --reload

5 访问 Jenkins Web Interface

可以通过 https://jenkins.example.com 访问 Jenkins Web Interface

原文  https://www.nginx.cn/5722.html
正文到此结束
Loading...