配置 nginx 反向代理 Jenkins 开启 SSL

本文主要介绍如何使用 Let’s Encrypt 申请 SSL,并配置 nginx 反向代理 jenkins。开始之前需要你已经有一个能运行 Jenkins 服务。

1: 安装nginx

参考这里nginx安装。

2.安装 Certbot 工具

安装 Certbot 工具来申请 Let’s Encrypt 的 SSL 证书。下载并安装 certbot-auto
命令行工具:

curl -sL https://dl.eff.org/certbot-auto | sudo tee /usr/local/bin/certbot-auto

增加可执行权限:

sudo chmod +x /usr/local/bin/certbot-auto

检测是否生效:

certbot-auto --version

返回版本号表示 certbot 命令行工具安装成功:

[root@www ~]# certbot-auto --version
certbot 1.4.0

对于最小化安装的Linx,会提示安装 yum 依赖包,则输入“y”,安装需要的依赖包。

Creating virtual environment...
Installing Python packages...
Installation succeeded.
certbot 1.4.0

出现如上提示表示安装成功,可以再次执行

certbot
auto
version


3 申请 Let’s Encrypt SSL 证书

需要准备给 Jenkins 准备一个域名,例如 jenkins.example.com 。

打开80、443端口

# CentOS 7
$ sudo firewall-cmd --add-service={http,https} --permanent
$ sudo firewall-cmd --reload
 
# Ubuntu / Debian
$ sudo ufw allow proto tcp from any to any port 80,443
$ sudo ufw status

申请 Let’s Encrypt 证书:

设置环境变量

export DOMAIN="jenkins.example.com"
export ALERTS_EMAIL="webmaster@example.com"
sudo systemctl stop nginx
sudo /usr/local/bin/certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $ALERTS_EMAIL --keep-until-expiring

输出例子:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator standalone, Installer None
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for jenkins.example.com
 Waiting for verification…
 Cleaning up challenges
 IMPORTANT NOTES:
 Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/jenkins.example.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/jenkins.example.com/privkey.pem
 Your cert will expire on 2019-07-08. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot-auto
 again. To non-interactively renew all of your certificates, run
 "certbot-auto renew"
 Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

4: 配置 Nginx

增加 Jenkins 的配置

/ usr
/ local
/ nginx
/ conf
/ vhost
/ jenkins
.
conf


,内容如下:

################################################
# Jenkins Proxy configuration with SSL
#################################################
upstream jenkins {
  server 127.0.0.1:8080 fail_timeout=0;
}
 
server {
  listen 80;
  server_name jenkins.example.com;
  return 301 https://$host$request_uri;
}
 
server {
  listen 443 ssl;
  server_name jenkins.example.com;
 
  ssl_certificate /etc/letsencrypt/live/jenkins.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/jenkins.example.com/privkey.pem;
 
  location / {
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect http:// https://;
    proxy_pass              http://jenkins;
    # Required for new HTTP-based CLI
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_buffering off; # Required for HTTP-based CLI to work over SSL
    # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
    add_header 'X-SSH-Endpoint' 'jenkins.example.com:50022' always;
  }
}

检查语法

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

重新加载配置

$ sudo nginx --reload

5 访问 Jenkins Web Interface

可以通过 https://jenkins.example.com 访问 Jenkins Web Interface

原文 

https://www.nginx.cn/5722.html

本站部分文章源于互联网,本着传播知识、有益学习和研究的目的进行的转载,为网友免费提供。如有著作权人或出版方提出异议,本站将立即删除。如果您对文章转载有任何疑问请告之我们,以便我们及时纠正。

PS:推荐一个微信公众号: askHarries 或者qq群:474807195,里面会分享一些资深架构师录制的视频录像:有Spring,MyBatis,Netty源码分析,高并发、高性能、分布式、微服务架构的原理,JVM性能优化这些成为架构师必备的知识体系。还能领取免费的学习资源,目前受益良多

转载请注明原文出处:Harries Blog™ » 配置 nginx 反向代理 Jenkins 开启 SSL

赞 (0)
分享到:更多 ()

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址