How to Secure Jenkins with SSL & Nginx in Docker

Introduction

Jenkins, a popular automation server, is an essential tool for streamlining development workflows. By default, Jenkins operates on port 8080 with its built-in web server, offering simplicity for initial setups. However, relying on this default configuration leaves sensitive data, such as passwords and user interactions, vulnerable to interception. Securing your Jenkins server with SSL is a critical step to ensure data integrity and protect against potential threats.

In this comprehensive guide, you’ll learn how to secure your Jenkins server running on Docker by implementing SSL using Let’s Encrypt and configuring Nginx as a reverse proxy. Additionally, we’ll explore advanced Nginx configurations, such as using subdomains for better organization and restricting Jenkins to listen only locally, which ensures enhanced security.

Prerequisites

To get started, first ensure you have the following prerequisites in place:

1. Ubuntu 22.04 Server
   • A server running Ubuntu 22.04 with a non-root, sudo-enabled user.
2. Jenkins Installed
   • Jenkins deployed using Docker Compose. You can follow the steps in How to Install Jenkins Using Docker Compose on Ubuntu.
3. Registered Domain Name
   • A registered domain name that you own or manage. In this tutorial, we’ll use lcdop.tech as an example.

Step 1: Prepare the Environment

1.Update the System: Update your package index and install necessary dependencies.

sudo apt update
sudo apt install -y nginx certbot python3-certbot-nginx

.To use the subdomain jenkins.lcdop.tech for your Jenkins server running on Docker, follow these steps:

2. Configure DNS for jenkins.lcdop.tech

1. Log in to your domain registrar’s control panel (where lcdop.tech is registered). Here, I am managing the domain with DigitalOcean.
2. Add a DNS A Record:
   • Host: jenkins
   • Points to: Public IP of your Ubuntu server
   • TTL: Default (e.g., 300 seconds)

This ensures that jenkins.lcdop.tech points to your Ubuntu server’s IP.

Step 2: Configure Nginx as a Reverse Proxy

1.Create an Nginx Server Block:

sudo nano /etc/nginx/sites-available/jenkins

Add the following configuration:

server {
    listen 80;
    server_name your-domain.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Replace the server_name with your subdomain: here it is jenkins.lcdop.tech

Enable the Configuration:

sudo ln -s /etc/nginx/sites-available/jenkins /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Step 3: Obtain SSL Certificates with Let’s Encrypt

1. Run Certbot: Certbot automatically configures SSL for your subdomain.

sudo certbot --nginx -d your-subdomain.com

Verify Auto-Renewal: Test the renewal process to ensure certificates renew automatically:

sudo certbot renew --dry-run

Step 4: Update Nginx Configuration for HTTPS

After running Certbot, Nginx automatically updates its configuration. It should look like this

server {
    listen 80;
    server_name your-subdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name your-subdomain.com;

    ssl_certificate /etc/letsencrypt/live/your-subdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-subdomain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Reload Nginx to apply the changes:

sudo systemctl reload nginx

Step 5: Secure the Jenkins Setup

1.Restrict Access to Jenkins Master: Ensure Jenkins is exposed only locally (via 127.0.0.1) to route traffic securely through Nginx.

ports:
  - "127.0.0.1:8080:8080"

Apply changes:

docker-compose up -d

2.Block Unnecessary Ports: Use UFW to block external access to port 8080:

sudo ufw deny 8080

Step 6: Validate the Setup

• Test access to Jenkins via HTTPS (https://your-subdomain.com).

After configuring the subdomain and setting up Nginx as a reverse proxy with SSL, you also need to configure the Jenkins URL in the Jenkins dashboard. This ensures Jenkins generates correct links for builds, webhook triggers, and notifications.

Step 7: Configure Jenkins URL

1. Log in to Jenkins Dashboard
   • Navigate to https://jenkins.lcdop.tech in your browser.
   • Log in using your admin credentials.
2. Go to Jenkins Configuration
   • Click on “Manage Jenkins” in the left-hand menu.
   • Select “Configure System” from the list.
3. Update Jenkins URL
   • Scroll down to the “Jenkins Location” section.
   • In the Jenkins URL field, enter:

https://jenkins.lcdop.tech

Save Configuration

• Scroll to the bottom of the page and click “Save”.

Verify the URL

• Ensure the Jenkins URL is now displayed correctly in links (e.g., build notifications, webhook URLs, etc.).

Why This Step is Important:

• Correct URLs in Notifications: Jenkins uses the configured URL for sending links in email notifications and webhook triggers for SCM systems like GitHub/GitLab.
• Webhooks and API Integrations: Tools like GitHub Webhooks, Slack, or Jira rely on the proper Jenkins URL to communicate with Jenkins.
• Avoid Redirect Issues: If the Jenkins URL isn’t set correctly, users accessing the server might encounter inconsistent links or redirects.

Suggestion for nginx optimization

Simplify the HTTP Redirect Block: Instead of using if, you can directly use the following inside the HTTP server block:

server {
    listen 80;
    server_name jenkins.lcdop.tech;
    return 301 https://jenkins.lcdop.tech$request_uri;
}

Conclusion

Securing your Jenkins server with SSL, Nginx, and Let’s Encrypt is a crucial step for protecting sensitive data and improving your CI/CD pipeline’s security.

rjshk013@gmail.com

Meet Rajesh K, a seasoned DevOps professional with six years of experience in designing and executing sophisticated software development processes. Specializing in high-availability architecture and leading AWS cloud projects, Rajesh excels at deploying containerized applications using Terraform and is proficient in Kubernetes, Docker, Helm, and Ansible. Through his blog, he offers expert, practical guidance to empower tech professionals with the knowledge they need to excel in cloud and infrastructure automation.