{"id":1266,"date":"2012-10-10T22:03:47","date_gmt":"2012-10-11T02:03:47","guid":{"rendered":"https:\/\/lowtek.ca\/roo\/?p=1266"},"modified":"2012-10-10T22:03:47","modified_gmt":"2012-10-11T02:03:47","slug":"how-to-jenkins-with-apache-controlled-authentication","status":"publish","type":"post","link":"https:\/\/lowtek.ca\/roo\/2012\/how-to-jenkins-with-apache-controlled-authentication\/","title":{"rendered":"How To: Jenkins with Apache controlled authentication"},"content":{"rendered":"<p><a href=\"https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2012\/10\/500px-Jenkins_logo_with_title.svg_.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1267\" title=\"500px-Jenkins_logo_with_title.svg\" src=\"https:\/\/lowtek.ca\/roo\/wp-content\/uploads\/2012\/10\/500px-Jenkins_logo_with_title.svg_.png\" alt=\"\" width=\"500\" height=\"161\" \/><\/a><\/p>\n<p>For a change of pace, I was working with <a href=\"http:\/\/www.redhat.com\/promo\/Red_Hat_Enterprise_Linux6\/\">RHEL6<\/a> instead of <a href=\"http:\/\/www.ubuntu.com\/\">Ubuntu<\/a> and setting up a <a href=\"http:\/\/jenkins-ci.org\/\">Jenkins CI<\/a> server. I&#8217;ve used <a href=\"http:\/\/en.wikipedia.org\/wiki\/Hudson_(software)\">Jenkins aka Hudson<\/a> previously, but this was my first time setting it up.<\/p>\n<p>A lot of this is straight from the <a href=\"https:\/\/wiki.jenkins-ci.org\/display\/JENKINS\/Running+Jenkins+behind+Apache\">Jenkins wiki<\/a>, which is detailed and helpful but at times cryptic. The default access mode of Jenkins is pretty much wide open, this is very handy for getting things done &#8211; but probably not what you want if there are a mix of people on the network, many whom you really don&#8217;t want to let do stuff like launch\/configure your builds. As I had <a href=\"http:\/\/httpd.apache.org\/\">Apache<\/a> already running and setting up authentication with Apache is relatively straight-forward, I figured the easy solution would be to hide Jenkins behind Apache.<\/p>\n<p>Since Jenkins is a big wad of Java code that is offering up a web interface, we&#8217;ve effectively got two web servers running: Apache, and Jenkins (different ports). The solution we&#8217;ll use is a proxy on the Apache side and some firewall rules to prevent direct access to Jenkins, forcing people through the proxy and thus the authentication controlled by Apache.<\/p>\n<p>Let&#8217;s start by checking to see if mod proxy is enabled. This is simply a matter of verifying if <code>\/etc\/httpd\/conf\/httpd.conf<\/code> has these two lines:<\/p>\n<p><code>LoadModule proxy_module modules\/mod_proxy.so<br \/>\nLoadModule proxy_http_module modules\/mod_proxy_http.so<\/code><\/p>\n<p>In my case it was enabled so no work needed. Now we modify <code>\/etc\/sysconfig\/jenkins<\/code>, at the end of the file we need to add some args to point at the path we want our Jenkins instance to be hosted at:<\/p>\n<p><code>JENKINS_ARGS=\"--prefix=\/jenkins\" <\/code><\/p>\n<p>Restart Jenkins (<code>service jenkins restart<\/code>) to have the changes picked up. You can test to see if it&#8217;s working on <code>localhost:8080\/jenkins<\/code>. I tried, and failed to have this work for a nested path (ie: \/path\/to\/jenkins), I suspect this is a Jenkins limitation but didn&#8217;t chase down the actual reason.<\/p>\n<p>Next let&#8217;s create an Apache configuration file in <code>\/etc\/httpd\/conf.d\/jenkins_proxy.conf<\/code> with the following contents:<\/p>\n<p><code>ProxyPass \/jenkins http:\/\/localhost:8080\/jenkins<br \/>\nProxyPassReverse \/jenkins http:\/\/localhost:8080\/jenkins<br \/>\nProxyRequests Off <\/code><\/p>\n<p><code># Local reverse proxy authorization override<br \/>\n# Most unix distribution deny proxy by default (ie \/etc\/apache2\/mods-enabled\/proxy.conf in Ubuntu)<br \/>\nOrder deny,allow<br \/>\nAllow from all<\/code><\/p>\n<p>We need to restart the web server (<code>service httpd restart<\/code>)\u00a0to have these changes picked up. As this is RHEL6 and it is running with <a href=\"http:\/\/en.wikipedia.org\/wiki\/Security-Enhanced_Linux\">SELinux<\/a> enabled, we also need to allow httpd (Apache) to do proxy connections:<\/p>\n<p><code># setsebool -P httpd_can_network_connect true<\/code><\/p>\n<p>Now\u00a0at this point you should be able to visit http:\/\/yoursite.com\/jenkins, and see that our proxy configuration is working. This is cool, but people can still talk to it via http:\/\/yoursite.com:8080\/jenkins which will bypass Apache.<\/p>\n<p>We&#8217;ll be using <a href=\"http:\/\/en.wikipedia.org\/wiki\/Iptables\">iptables<\/a>\u00a0to accomplish this. As you can see my system was running iptables, but everything was permitted.<\/p>\n<p><code># iptables -L<br \/>\nChain INPUT (policy ACCEPT)<br \/>\ntarget prot opt source destination<br \/>\nACCEPT all -- anywhere anywhere<br \/>\n<\/code><br \/>\n<code>Chain FORWARD (policy ACCEPT)<br \/>\ntarget prot opt source destination<\/code><\/p>\n<p><code>Chain OUTPUT (policy ACCEPT)<br \/>\ntarget prot opt source destination<\/code><\/p>\n<p>Use <code>ifconfig<\/code> to figure out what your ethernet card is (the one where external packets will come from), in my case it was <code>eth6<\/code>.\u00a0So we can simply instruct iptables to drop packets destined to 8080 from that source, allowing only internal traffic (ie: the proxy) to pass.<\/p>\n<p><code># iptables -A INPUT -p tcp -i eth6 --dport 8080 -j DROP<\/code><\/p>\n<p>That&#8217;s it, now users are forced to come in the correct front door (Apache). To make the iptables change permanent:<\/p>\n<p><code>#service iptables save<\/code><\/p>\n<p>So now the Apache web server is seeing traffic to Jenkins and can perform authentication, this is <a href=\"http:\/\/stackoverflow.com\/questions\/724599\/setting-up-an-apache-proxy-with-authentication\">simple enough to add<\/a>\u00a0to the Apache configuration file we created that defined the proxy (<code>\/etc\/httpd\/conf.d\/jenkins_proxy.conf<\/code>) &#8211; I&#8217;ll leave that one up to the reader to sort out.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>For a change of pace, I was working with RHEL6 instead of Ubuntu and setting up a Jenkins CI server. I&#8217;ve used Jenkins aka Hudson previously, but this was my first time setting it up. A lot of this is straight from the Jenkins wiki, which is detailed and helpful but at times cryptic. The &hellip; <a href=\"https:\/\/lowtek.ca\/roo\/2012\/how-to-jenkins-with-apache-controlled-authentication\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;How To: Jenkins with Apache controlled authentication&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,12],"tags":[],"class_list":["post-1266","post","type-post","status-publish","format-standard","hentry","category-computing","category-how-to"],"_links":{"self":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1266","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/comments?post=1266"}],"version-history":[{"count":4,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1266\/revisions"}],"predecessor-version":[{"id":1271,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/posts\/1266\/revisions\/1271"}],"wp:attachment":[{"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/media?parent=1266"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/categories?post=1266"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lowtek.ca\/roo\/wp-json\/wp\/v2\/tags?post=1266"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}