Surya.dev
Published on

Configure Nginx Reverse Proxy Jenkins

Authors

Hello everyone, in this blog I will configure nginx reverse proxy Jenkins, continuing from the previous blog Running Jenkins in Docker and VM.

Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. — Wikipedia 1

Image nginx from toptal.com

In this tutorial, you will configure Nginx as a reverse proxy to direct client requests to Jenkins.

Update Package Repository and Upgrade Packages

$ sudo apt update
$ sudo apt upgrade

Installing Nginx

$ sudo apt install nginx

We can check with the systemctl system to make sure the service is running in the terminal:

$ systemctl status nginx

# Output should look similar to the below
root@iZt4nir2b2o938u2m5xms1Z:~# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2024-01-15 02:58:40 CST; 7s ago
       Docs: man:nginx(8)
   Main PID: 22255 (nginx)
      Tasks: 3 (limit: 4631)
     Memory: 6.3M
     CGroup: /system.slice/nginx.service
             ├─22255 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
             ├─22257 nginx: worker process
             └─22258 nginx: worker process

Jan 15 02:58:40 iZt4nir2b2o938u2m5xms1Z systemd[1]: Starting A high performance web server and a reverse proxy server...
Jan 15 02:58:40 iZt4nir2b2o938u2m5xms1Z systemd[1]: Started A high performance web server and a reverse proxy server.

You can check Web Sever is running

http://your_ip_address
Image welcome nginx from srya.me

Confirming Nginx’s Configuration

Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain you request a certificate for.

sudo vi /etc/nginx/sites-available/dev.srya.me
#OR
sudo nano /etc/nginx/sites-available/dev.srya.me

Paste in the following configuration block, which is similar to the default, but updated for our new directory and domain name:

upstream jenkins{
    server 127.0.0.1:8080;
}

server{
    listen      80;
    server_name dev.srya.me;

    access_log  /var/log/nginx/jenkins.access.log;
    error_log   /var/log/nginx/jenkins.error.log;

    proxy_buffers 16 64k;
    proxy_buffer_size 128k;

    location / {
        proxy_pass  http://jenkins;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;

        proxy_set_header    Host            $host;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto https;
    }

}

Enable the Jenkins Server Block:

Next, let’s enable the file by creating a link from it to the sites-enabled directory, which Nginx reads from during startup:

$ sudo ln -s /etc/nginx/sites-available/dev.srya.me /etc/nginx/sites-enabled/

Test Nginx Configuration:

  1. Before restarting Nginx, it's a good idea to test the configuration to make sure there are no syntax errors:
$ sudo nginx -t

# If the test is successful, you should see:
root@iZt4nir2b2o938u2m5xms1Z:/etc/nginx/sites-available# sudo nginx -t
nginx: [warn] conflicting server name "dev.srya.me" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
  1. Restart Nginx: Restart Nginx to apply the changes
$ sudo systemctl restart nginx

Configure Jenkins with TLS

The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.

sudo apt install certbot python3-certbot-nginx

Obtaining an SSL Certificate

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:

$ sudo certbot --nginx -d dev.srya.me

#OUTPUT
root@iZt4nir2b2o938u2m5xms1Z:~# sudo certbot --nginx -d dev.srya.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): suryaharahap18@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dev.srya.me
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://dev.srya.me

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=dev.srya.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dev.srya.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/dev.srya.me/privkey.pem
   Your cert will expire on 2024-04-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.

Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

Verifying Certbot Auto-Renewal

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.

You can query the status of the timer with systemctl:

$ sudo systemctl status certbot.timer

# OUTPUT
root@iZt4nir2b2o938u2m5xms1Z:~# sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: >
     Active: active (waiting) since Mon 2024-01-15 10:14:39 CST; 3h 52min ago
    Trigger: Mon 2024-01-15 14:46:36 CST; 39min left
   Triggers: ● certbot.service

Jan 15 10:14:39 iZt4nir2b2o938u2m5xms1Z systemd[1]: Started Run certbot twice da>

$ sudo certbot renew --dry-run

Reference

  1. Youtube Aji Diyantoro - NGINX Reverse Proxy
  2. Dinesh Mistry Tutorials

Footnotes

  1. The above quote is excerpted from Wikipedia, Jan 15, 2024.

Discuss on TwitterView on GitHub