How to use Jenkins with SSL / https

Solution 1:

Just in case you're using Nginx and not Apache, you might want to use proxy_redirect http:// https://; to rewrite the Location header as the response comes back from Jenkins.

A complete nginx setup where SSL is terminated with Nginx and proxied internally to Jenkins using 8080 might look like this:

upstream jenkins {
  server fail_timeout=0;

server {
  listen 80 default;
  server_name *;
  rewrite ^ https://$server_name$request_uri? permanent;

server {
  listen 443 default ssl;
  server_name *;

  ssl_certificate           /etc/ssl/certs/my.crt;
  ssl_certificate_key       /etc/ssl/private/my.key;

  ssl_session_timeout  5m;
  ssl_protocols  SSLv3 TLSv1;
  ssl_ciphers HIGH:!ADH:!MD5;
  ssl_prefer_server_ciphers on;

  # auth_basic            "Restricted";
  # auth_basic_user_file  /home/jenkins/htpasswd;

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_redirect http:// https://;

    add_header Pragma "no-cache";

    proxy_pass http://jenkins;

Solution 2:

This page should help you set it up behind Apache (which would handle HTTPS):

Apart from being a "normal" reverse-proxy, you'll need this (as shown on that page):

Header edit Location ^

Solution 3:

Note that (as of sometime?) Jenkins can generate the key for you, all you need to do is set the --httpsPort=(portnum) parameter in JENKINS_ARGS.

In my case I set JENKINS_PORT="-1" (disable http) and set --httpsPort=8080 which worked well for my own purposes.

Just note that any port below 1000 generally requires root access, so pick a port higher than that...

(Link for more info)

Solution 4:

For an Ubuntu server (assuming you installed with apt-get install jenkins):

You'll want to edit /etc/default/jenkins at the bottom of the file, edit Jenkins_args. In my args, I've disabled http access (using -1) and put SSL on the default Jenkins port (8080). The most important part here is that you sent an httpsPort and certificate/key (if you have one, otherwise you can leave those off for the self generated one). I place the crts in apache and then use them for both, but you could put them anywhere.

JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpsPort=$HTTP_PORT --httpPort=-1 --httpsCertificate=/etc/apache2/ssl.crt/CERT.crt --httpsPrivateKey=/etc/apache2/ssl.key/KEY.key --ajp13Port=$AJP_PORT"

In some cases, you'll have to use a Java Key Store. First, convert your keys:

openssl pkcs12 -inkey /var/lib/jenkins/jenkins.key.pem -in /var/lib/jenkins/jenkins.crt.pem  -export -out keys.pkcs12

keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore jenkins.jks

Now use Jenkins args like

JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpsPort=$HTTP_PORT --httpPort=-1 --httpsKeyStore=/etc/apache2/ssl.crt/jenkins.jks --httpsKeyStorePassword=thePassword --ajp13Port=$AJP_PORT"

Also, see