Jenkins and SSL

There might be a situation where you want to access jenkins thru SSL, or the browser keeps pushing you thru to SSL.

install and load the necessary apache modules

There are several modules that need to be configured.

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers

And once they have been enabled, we will need to restart apache.

sudo systemctl restart apache2

Modify /etc/apache2/sites-available/default-ssl.conf

Towards the end of the <VirtualHost _default_:443> tag, add the following lines.

ProxyRequests     Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode

# if I have :8080/jenkins/ (forward slash after jenkins) then I get a 403 error
# about not valid breadcrumb.
ProxyPass         /jenkins http://localhost:8080/jenkins nocanon
ProxyPassReverse /jenkins http://localhost:8080/jenkins

# tighten TLS config via https://mozilla.github.io/server-side-tls/ssl-config-generator/
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"

Being careful not to add trailing spaces otherwise you’ll get the errors described above.

This means that when you navigate to https://servername/jenkins apache will forward the request to http://localhost:8080/jenkins where you guessed it, it will be picked up by the Jenkins service.

Important: In order for this to work, the prefix must be the same on apache and jenkins. I.e.

• ProxyPass /jenkins http://localhost:8080/jenkins (works)
• ProxyPass /jenkins http://localhost:8080 (will not work)
• ProxyPass / http://localhost:8080/jenkins (will not work)
• ProxyPass / http://localhost:8080 (works)

Modify /etc/default/jenkins

Since we are using the jenkins prefix, we must add that to the jenkins configuration file.

The default jenkins setup will already have this predefined in the file

NAME=jenkins

...

PREFIX=/$NAME

All we need to do is add the prefix to JENKINS_ARGS as shown below.

JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --prefix=$PREFIX"

Restart the services

Modifications to Jenkins and Apache2 require that they both need to be restarted.

sudo systemctl restart jenkins
sudo systemctl restart apache2

Testing

Now we can navigate to the following url

https://servername/jenkins

And we will see that we can access Jenkins via ssl.

Creating SSL certificates

You can check my Apache notes on how to set up SSL certificates.

• Create self signed SAN certificate
• Create your own Certificate Authority
• Configure Apache with SSL