介绍 (Introduction)

By default, Jenkins comes with its own built-in Winstone web server listening on port 8080, which is convenient for getting started. It’s also a good idea, however, to secure Jenkins with SSL to protect passwords and sensitive data transmitted through the web interface.

默认情况下， Jenkins带有自己的内置Winstone Web服务器，该服务器在端口8080上侦听，这对于入门非常方便。 但是，用SSL保护Jenkins来保护通过Web界面传输的密码和敏感数据也是一个好主意。

In this tutorial, you will configure Nginx as a reverse proxy to direct client requests to Jenkins.

在本教程中，您将Nginx配置为反向代理，以将客户端请求定向到Jenkins。

先决条件 (Prerequisites)

To begin, you’ll need the following:

首先，您需要满足以下条件：

• One Ubuntu 20.04 server configured with a non-root sudo-enabled user and firewall, following the Ubuntu 20.04 initial server setup guide.

  遵循Ubuntu 20.04初始服务器设置指南 ，配置了一个配置了非root用户且启用了sudo的Ubuntu 20.04服务器和防火墙。

• Jenkins installed, following the steps in How to Install Jenkins on Ubuntu 20.04

  按照如何在Ubuntu 20.04上安装Jenkins中的步骤安装Jenkins

• Nginx installed, following the steps in How to Install Nginx on Ubuntu 20.04

  按照如何在Ubuntu 20.04上安装Nginx中的步骤安装Nginx

• An SSL certificate for a domain provided by Let’s Encrypt. Follow How to Secure Nginx with Let’s Encrypt on Ubuntu 20.04 to obtain this certificate. Note that you will need a registered domain name that you own or control. This tutorial will use the domain name example.com throughout.

  Let's Encrypt提供的域的SSL证书。 在Ubuntu 20.04上通过如何使用Let's Encrypt来保护Nginx的安全性来获取此证书。 请注意，您将需要拥有或控制的注册域名 。 本教程将始终使用域名example.com 。

第1步-配置Nginx (Step 1 — Configuring Nginx)

In the prerequisite tutorial How to Secure Nginx with Let’s Encrypt on Ubuntu 20.04, you configured Nginx to use SSL in the /etc/nginx/sites-available/example.com file. Open this file to add your reverse proxy settings:

在必备教程“ 如何在Ubuntu 20.04上使用Let's Encrypt保护Nginx”中 ，您将Nginx配置为在/etc/nginx/sites-available/ example.com文件中使用SSL。 打开此文件以添加反向代理设置：

In the server block with the SSL configuration settings, add Jenkins-specific access and error logs:

在具有SSL配置设置的server块中，添加特定于Jenkins的访问和错误日​​志：

. . . 
server {
        . . .
        # SSL Configuration
        #
        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        access_log            /var/log/nginx/jenkins.access.log;
        error_log             /var/log/nginx/jenkins.error.log;
        . . .
        }

Next let’s configure the proxy settings. Since we’re sending all requests to Jenkins, we’ll comment out the default try_files line, which would otherwise return a 404 error before the request reaches Jenkins:

接下来，我们配置代理设置。 由于我们将所有请求发送到Jenkins，因此我们将注释掉默认的try_files行，否则它将在请求到达Jenkins之前返回404错误：

. . .
           location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                # try_files $uri $uri/ =404;        }
. . .

Let’s now add the proxy settings, which include:

现在添加代理设置，其中包括：

• proxy_params: The /etc/nginx/proxy_params file is supplied by Nginx and ensures that important information, including the hostname, the protocol of the client request, and the client IP address, is retained and available in the log files.

  proxy_params ： /etc/nginx/proxy_params文件由Nginx提供，并确保重要信息(包括主机名，客户端请求的协议和客户端IP地址)得以保留并在日志文件中可用。

• proxy_pass: This sets the protocol and address of the proxied server, which in this case will be the Jenkins server accessed via localhost on port 8080.

  proxy_pass ：设置代理服务器的协议和地址，在本例中为将通过端口8080上的localhost访问的Jenkins服务器。

• proxy_read_timeout: This enables an increase from Nginx’s 60 second default to the Jenkins-recommended 90 second value.

  proxy_read_timeout ：这可以将Nginx的默认60秒值增加到Jenkins建议的90秒值。

• proxy_redirect: This ensures that responses are correctly rewritten to include the proper host name.

  proxy_redirect ：这可以确保正确重写响应以包括正确的主机名。

Be sure to substitute your SSL-secured domain name for example.com in the proxy_redirect line below:

确保在下面的proxy_redirect行proxy_redirect SSL保护的域名替换为example.com ：

Location /  
. . .
           location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                # try_files $uri $uri/ =404;
                include /etc/nginx/proxy_params;
                proxy_pass          http://localhost:8080;
                proxy_read_timeout  90s;
                # Fix potential "It appears that your reverse proxy setup is broken" error.
                proxy_redirect      http://localhost:8080 https://example.com;

Once you’ve made these changes, save the file and exit the editor. We’ll hold off on restarting Nginx until after we’ve configured Jenkins, but we can test our configuration now:

进行这些更改后，保存文件并退出编辑器。 在配置完Jenkins之后，我们将推迟重新启动Nginx，但是现在我们可以测试配置了：

If all is well, the command will return:

如果一切正常，命令将返回：

   

    Output
   
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If not, fix any reported errors until the test passes.

如果不是，请修复所有报告的错误，直到测试通过。

Note: If you misconfigure the proxy_pass (by adding a trailing slash, for example), you will get something similar to the following in your Jenkins Configuration page.

注意：如果您错误地配置了proxy_pass (例如，通过添加斜杠)，您将在Jenkins Configuration页面中获得类似于以下内容的内容。

If you see this error, double-check your proxy_pass and proxy_redirect settings in the Nginx configuration.

如果看到此错误，请仔细检查Nginx配置中的proxy_pass和proxy_redirect设置。

第2步-配置詹金斯 (Step 2 — Configuring Jenkins)

For Jenkins to work with Nginx, you will need to update the Jenkins configuration so that the Jenkins server listens only on the localhost interface rather than on all interfaces (0.0.0.0). If Jenkins listens on all interfaces, it’s potentially accessible on its original, unencrypted port (8080).

为了让Jenkins与Nginx一起使用，您需要更新Jenkins配置，以便Jenkins服务器仅在localhost接口上侦听，而不在所有接口( 0.0.0.0 )上侦听。 如果Jenkins侦听所有接口，则可能可以通过其原始的未加密端口( 8080 )访问它。

Let’s modify the /etc/default/jenkins configuration file to make these adjustments:

让我们修改/etc/default/jenkins配置文件以进行以下调整：

Locate the JENKINS_ARGS line and add --httpListenAddress=127.0.0.1 to the existing arguments:

找到JENKINS_ARGS行，并将--httpListenAddress=127.0.0.1添加到现有参数：

. . .
JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1"

Save and exit the file.

保存并退出文件。

To use the new configuration settings, restart Jenkins:

要使用新的配置设置，请重新启动Jenkins：

Since systemctl doesn’t display output, check the status:

由于systemctl不显示输出，因此请检查状态：

You should see the active (exited) status in the Active line:

您应该在Active行中看到active (exited)状态：

   

    Output
   
● jenkins.service - LSB: Start Jenkins at boot time
   Loaded: loaded (/etc/init.d/jenkins; generated)
   Active: active (exited) since Mon 2018-07-09 20:26:25 UTC; 11s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 29766 ExecStop=/etc/init.d/jenkins stop (code=exited, status=0/SUCCESS)
  Process: 29812 ExecStart=/etc/init.d/jenkins start (code=exited, status=0/SUCCESS)

Restart Nginx:

重新启动Nginx：

Check the status:

检查状态：

   

    Output
   
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-07-09 20:27:23 UTC; 31s ago
     Docs: man:nginx(8)
  Process: 29951 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS)
  Process: 29963 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 29952 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 29967 (nginx)

With both servers restarted, you should be able to visit the domain using either HTTP or HTTPS. HTTP requests will be redirected automatically to HTTPS, and the Jenkins site will be served securely.

重启两台服务器后，您应该能够使用HTTP或HTTPS访问域。 HTTP请求将自动重定向到HTTPS，并且Jenkins站点将得到安全服务。

步骤3 —测试配置 (Step 3 — Testing the Configuration)

Now that you have enabled encryption, you can test the configuration by resetting the administrative password. Let’s start by visiting the site via HTTP to verify that you can reach Jenkins and are redirected to HTTPS.

现在您已启用加密，您可以通过重置管理密码来测试配置。 让我们首先通过HTTP访问该站点，以验证您可以访问Jenkins并重定向到HTTPS。

In your web browser, enter http://example.com, substituting your domain for example.com. After you press ENTER, the URL should start with https and the location bar should indicate that the connection is secure.

在您的Web浏览器中，输入http:// example.com ，将您的域替换为example.com 。 在按ENTER ，URL应该以https开头，并且位置栏应指示该连接是安全的。

You can enter the administrative username you created in How To Install Jenkins on Ubuntu 20.04 in the User field, and the password that you selected in the Password field.

您可以在“ 用户”字段中输入在“ 如何在Ubuntu 20.04上安装Jenkins”中创建的管理用户名，以及在“ 密码”字段中选择的密码 。

Once logged in, you can change the password to be sure it’s secure.

登录后，您可以更改密码以确保密码安全。

Click on your username in the upper-right-hand corner of the screen. On the main profile page, select Configure from the list on the left side of the page:

点击屏幕右上角的用户名。 在主配置文件页面上，从页面左侧的列表中选择配置 ：

This will take you to a new page, where you can enter and confirm a new password:

这将带您进入新页面，您可以在其中输入并确认新密码：

Confirm the new password by clicking Save. You can now use the Jenkins web interface securely.

单击保存确认新密码。 现在，您可以安全地使用Jenkins Web界面。

结论 (Conclusion)

In this tutorial, you configured Nginx as a reverse proxy to Jenkins’ built-in web server to secure your credentials and other information transmitted via the web interface. Now that Jenkins is secure, you can learn how to set up a continuous integration pipeline to automatically test code changes. Other resources to consider if you are new to Jenkins are the Jenkins project’s “Creating your first Pipeline” tutorial or the library of community-contributed plugins.

在本教程中，您将Nginx配置为Jenkins内置Web服务器的反向代理，以保护您的凭据和通过Web界面传输的其他信息。 既然Jenkins已经安全了，您就可以学习如何建立持续集成管道以自动测试代码更改。 如果您不熟悉Jenkins，还可以考虑其他资源， 例如Jenkins项目的“创建您的第一个管道”教程或社区贡献的插件库 。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-configure-jenkins-with-ssl-using-an-nginx-reverse-proxy-on-ubuntu-20-04