Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Protect Jenkins with nginx http auth except callback url

I installed jenkins on my server and I want to protected it with nginx http auth so that requests to:

http://my_domain.com:8080
http://ci.my_domain.com

will be protected except one location:

http://ci.my_domain.com/job/my_job/build

needed to trigger build. I am kinda new to nginx so I stuck with nginx config for that.

upstream jenkins {
  server  127.0.0.1:8080;
}

server {
  listen x.x.x.x:8080;
  server_name *.*;

  location '/' {
    proxy_pass http://jenkins;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;

    auth_basic "Restricted";
    auth_basic_user_file /path/.htpasswd;    
  }
}

I tried smth like above config but when I visit http://my_domain.com:8080 there is no http auth.

like image 412
makaroni4 Avatar asked Jul 25 '12 07:07

makaroni4


1 Answers

Finally I figured out how to solve this problem. At first we need to uncheck "Enable security" option at Manage Jenkins page. With security disabled we can trigger our jobs with requests like http://ci.your_domain.com/job/job_name/build.

If you want to add token to trigger URL we need to Enable Security, choose "Project-based Matrix Authorization Strategy" and give Admin rights to Anonymous user. After it in Configure page of your project will be "Trigger builds remotely" option where you can specify token so your request will look like JENKINS_URL/job/onru/build?token=TOKEN_NAME

So with disabled security we need to protect http://ci.your_domain.com with nginx http_auth except urls like /job/job_name/build'.

And of course we need to hide 8080 port from external requests. Since my server is on Ubuntu I can use iptables firewall:

iptables -A INPUT -p tcp --dport 8080 -s localhost -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

But! On ubuntu (I am not sure about other linux oses) iptables will disappear after reboot. So we need to save them with:

iptables-save

And it is not the end. With this command we just get a file with iptables. On startup we need to load iptables and the easiest way is to use 'uptables-persistent' package:

sudo apt-get install iptables-persistent
iptables-save > /etc/iptables/rules

Take a closer look at iptables if needed https://help.ubuntu.com/community/IptablesHowTo#Saving_iptables and good luck with Jenkins!

And there is good example for running jenkins on subdomain of your server: https://wiki.jenkins-ci.org/display/JENKINS/Running+Hudson+behind+Nginx

like image 120
makaroni4 Avatar answered Nov 15 '22 17:11

makaroni4