Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set the "Resource root URL" in Jenkins

Tags:

jenkins

We're setting up a fresh instance of Jenkins and are finding that the "Resource root URL" is empty by default. I've read the Jenkins documentation on this and the (few) stackoverflow responses, but I'm still unclear how to fill this field. In our case, we are using a rented server instance with a dedicated external IP address (a dotted-quad) but without a domain name. BTW, the "Jenkins URL" seems to be properly set to our external dotted-quad address.

  1. What does a properly formatted "Resource root URL" look like?
  2. How does one set a "Resource root URL" without a domain name?
  3. The documentation mentions that a CSP (Content-Security-Policy) is supposed to be part of this. What is it and how does one set it up?
  4. In summary, what are the steps to building a "Resource root URL" for Jenkins?

Thanks!

like image 594
Hephaestus Avatar asked Mar 01 '23 22:03

Hephaestus


1 Answers

As far as I know you need two distinct domains pointing to the same Jenkins instance. This seems to be a restriction of the frame-ancestors directive of Content-Security-Policy, see the 6th comment to JENKINS-41891.

In short the CSP (Content-Security-Policy) is a security feature that restricts the browser from including foreign resources (like e.g. images and CSS) or from executing external scripts.

In the context of Jenkins the CSP is used to restrict user provided content (like e.g. a published Maven site) from messing/interacting with Jenkins. Without it a developer without administrative rights in Jenkins but being able to include scripts in a Maven site (i.e. with commit rights to the source repository) could possibly trigger administrative Jenkins tasks as soon as an administrator browses the published Maven site containing this malicious script.

The problem is, often you want to have scripts on user generated content published by Jenkins. But because of the security risk the CSP blocks them nevertheless.

So you have these options:

  • Live with non working scripts in your published artefacts. If you have no use for published artefacts hosted on your Jenkins instance you probably have no need for the resource URL and don't need to worry.
  • Relax the CSP restrictions: This is described in the Jenkins User Handbook: Configuring Content Security Policy, but cumbersome and a security risk (=easy to get wrong).
  • Use a second domain: This is the Resource root URL. From the browsers point of view the two URLs have nothing to do with each other and so the scripts at the resource URL are not trusted to mess with Jenkins at the "main" URL.

So, if you want to use the Resource root URL, you need two domains (or one domain and one IP) for it to work. You should then be able to set up your Jenkins like this:

  • Jenkins URL: https://jenkins.example.org/
  • Resource root URL: https://jenkins-static.example.org/

In this example both of jenkins.example.org and jenkins-static.example.org point to the same IP.


Please note that all of the above is written by a non security and non Jenkins expert, so it might not be 100% accurate. But it should get the idea across.

like image 114
siegi Avatar answered Mar 04 '23 10:03

siegi