Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jenkins fix security issues #178

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Jenkins fix security issues #178

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8cf0c19
Use nginx as reverse proxy for jenkins
Jun 6, 2024
d1a1dd8
Add nginx to jenkins 1click
Jun 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions jenkins-22-04/files/etc/nginx/sites-available/default
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
upstream jenkins {
keepalive 32; # keepalive connections
server 127.0.0.1:8080; # jenkins ip and port
}

# Required for Jenkins websocket agents
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

server {
listen 80; # Listen on port 80 for IPv4 requests

#server_name jenkins.example.com; # replace 'jenkins.example.com' with your server domain name

# this is the jenkins web root directory
# (mentioned in the output of "systemctl cat jenkins")
root /var/run/jenkins/war/;

access_log /var/log/nginx/jenkins.access.log;
error_log /var/log/nginx/jenkins.error.log;

# pass through headers from Jenkins that Nginx considers invalid
ignore_invalid_headers off;

location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" {
# rewrite all static files into requests to the root
# E.g /static/12345678/css/something.css will become /css/something.css
rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
}

location /userContent {
# have nginx handle all the static requests to userContent folder
# note : This is the $JENKINS_HOME dir
root /var/lib/jenkins/;
if (!-f $request_filename){
# this file does not exist, might be a directory or a /**view** url
rewrite (.*) /$1 last;
break;
}
sendfile on;
}

location / {
sendfile off;
proxy_pass http://jenkins;
proxy_redirect default;
proxy_http_version 1.1;

# Required for Jenkins websocket agents
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;

#this is the maximum upload size
client_max_body_size 10m;
client_body_buffer_size 128k;

proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_request_buffering off; # Required for HTTP CLI commands
}

}
10 changes: 0 additions & 10 deletions jenkins-22-04/files/var/lib/cloud/scripts/per-instance/001_onboot
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,5 @@
#!/bin/sh

sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \
https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null

apt -qqy update

DEBIAN_FRONTEND=noninteractive apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install jenkins

# Remove the ssh force logout command
sed -e '/Match User root/d' \
-e '/.*ForceCommand.*droplet.*/d' \
Expand Down
14 changes: 14 additions & 0 deletions jenkins-22-04/scripts/012-jenkins.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \
https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null

apt -qqy update

DEBIAN_FRONTEND=noninteractive apt -qqy -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' install jenkins

ufw allow http
ufw allow https
ufw limit ssh
ufw --force enable
8 changes: 7 additions & 1 deletion jenkins-22-04/template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"variables": {
"do_api_token": "{{env `DIGITALOCEAN_API_TOKEN`}}",
"image_name": "jenkins-22-04-snapshot-{{timestamp}}",
"apt_packages": "openjdk-11-jdk net-tools",
"apt_packages": "openjdk-11-jdk net-tools nginx",
"application_name": "Jenkins",
"application_version": "2.445"
},
Expand Down Expand Up @@ -36,6 +36,11 @@
"source": "jenkins-22-04/files/var/",
"destination": "/var/"
},
{
"type": "file",
"source": "jenkins-22-04/files/etc/",
"destination": "/etc/"
},
{
"type": "shell",
"environment_vars": [
Expand Down Expand Up @@ -64,6 +69,7 @@
],
"scripts": [
"common/scripts/018-force-ssh-logout.sh",
"jenkins-22-04/scripts/012-jenkins.sh",
"common/scripts/020-application-tag.sh",
"common/scripts/900-cleanup.sh"
]
Expand Down