How to Configure Jenkins with SSL Behind Nginx on Ubuntu 20.04

Jenkins is an open-source tool automation tool to set up the entire software delivery pipeline -continuous delivery. This enables developers to manage and control software delivery processes throughout the entire lifecycle such as to reliably build, test, and deploy their software.

Jenkins has an extensible and vibrant, active community. It is written in Java. Generally, Jenkins runs as a standalone built-in Java servlet application. It is also possible to run in Java servlet containers such as Apache Tomcat or GlassFish.

In this tutorial, we learn how to configure Jenkins with SSL behind Nginx on Ubuntu 20.04.

Prerequisites

  • A Ubuntu 20.04 Server
  • A user with sudo proviledges
  • Miminum of 1 GB of RAM
  • Oracle JDK 11 or above installed.

Step 1: Install Jenkins on Ubuntu

The Jenkins package available in the default Ubuntu repository is most likely behind the latest version. It is recommended to install Jenkin from the projected maintenance package which is available in the official repository.

We will first add the repository key to the system.

$ wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo apt-key add -

When writing this guide, the procedure will install the version 2.303.3 of Jenkins

Next, let’s add the package repository to the sources.list file:

$ sudo sh -c 'echo deb http://pkg.jenkins.io/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list'

We should update the cache of the repository

$ sudo apt update

Now you can install Jenkins:

$ sudo apt install jenkins

Then start the service

$ sudo systemctl start jenkins

Let's configure the service to automatically start with the server

$ sudo systemctl enable jenkins

You can check the status of the service

$ sudo systemctl status jenkins

You can check the version by looking at the file /var/lib/jenkins/config.xml

$ cat /var/lib/jenkins/config.xml
<?xml version='1.1' encoding='UTF-8'?> 
<hudson>   
      <disabledAdministrativeMonitors/>   
      <version>2.303.3</version>
...
...
</hudson>

Step 2: Configuring Nginx with SSL certificate

Now as we will use Nginx to proxy the communication, we will first need to install it

$ sudo apt install nginx

Now you need to copy the certificate in the folder to use. We will consider that you already have your SSL certificate.

We will copy the certificate

$ sudo cp jenkins.domain.com.crt /etc/nginx/certs/jenkins.domain.com.crt

Then copy the keys

$ sudo cp jenkins.domain.com.key /etc/nginx/certs/jenkins.domain.com.key

To avoid any conflict with the default configuration of Nginx, we will remove the default configuration from the sites-enabled directory

sudo rm /etc/nginx/sites-enabled/default

Now let's create the configuration file of Jenkins. Jenkins normally uses port 8080 to run but as we are using Nginx, it will listen on ports 80 and 443, then with the domain name information, it will proxy the communication internally on port 8080 for Jenkins.

The configuration that we will set will automatically force all HTTP requests to HTTPS

$ sudo vim /etc/nginx/sites-available/jenkins.conf
upstream jenkins.domain.com {
       server SERVER_IP:8080;
}
server {
        server_name jenkins.domain.com;
        listen 80 ;
        access_log /var/log/nginx/jenkins.log;
        return 301 https://$host$request_uri;
}
server {
        server_name jenkins.domain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/jenkins.log;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/jenkins.domain.com.crt;
        ssl_certificate_key /etc/nginx/certs/jenkins.domain.com.key;
        add_header Strict-Transport-Security "max-age=31536000";
        location / {
                proxy_pass http://jenkins.domain.com;
        }
}

In addition to the Jenkins Nginx configuration, we have added some of the required nginx derivatives. You can use and optimize according to your web server requirements.

Now create a symbolic of the configuration file to enable it

$ sudo ln -s /etc/nginx/sites-available/jenkins.conf /etc/nginx/sites-enabled/jenkins.conf

Now start the Nginx service

$ sudo systemctl start nginx

Then enable it on startup

$ sudo systemctl enable nginx

Now you can test your Nginx configuration

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now restart the Nginx service to take the configuration into consideration

$ sudo systemctl restart nginx

Now open the ports 80 and 443 on the firewall:

$ sudo ufw allow 80,443/tcp

Also, make sure to open the ssh port before enabling UFW otherwise, you could lose your ssh connection if something goes wrong

$ sudo ufw allow 'OpenSSH'

Now enable UFW if not yet

$ sudo ufw enable

Step 3: Access and configure Jenkins

Now open your browser with the URL http://jenkins.domain.com and then you will see the page of Jenkins asking you for a password

Jenkin dashboard administrator password

To have the password, you should display the content of the file that is indicated

$ sudo cat /var/lib/jenkins/secrets/initialAdminPassword
88ba484d8cff4150a90683a07c89ea7c

Then paste the password and continue to the next page. You will now have the page asking to install the default plugins or to select the ones to install. In our case, we will leave the default ones

select plugins to install

Then you will see the installation process

installation process

Now you need to create the admin user.

Create Jenkins admin user

Now validate the URL of Jenkins.

Now you can start using your Jenkins

Jenkins welcome page

Conclusion

In this tutorial, we learned how to configure Jenkins with SSL behind Nginx on Ubuntu 20.04. You can start configuring the jobs and pipelines of your CI/CD process.

Leave a Comment