<p>By default, Jenkins comes with its own built in web server, which listens on port 8080. This is convenient if you run a private Jenkins instance, or if you just need to get something up quickly and don’t care about security. Once you have real production data going to your host, though, it’s a good idea to use a more secure web server such as Nginx handling the traffic.</p>
<p>This post will detail how to wrap your site with SSL using the Nginx web server as a reverse proxy for your Jenkins instance. <strong>This tutorial assumes some familiarity with Linux commands, a working Jenkins installation, and a Ubuntu 14.04 installation.</strong></p>
<p>You can install Jenkins later in this tutorial, if you don’t have it installed yet.</p>
<p>This guide assumes that you are using Ubuntu 22.04. Before you begin, you should have a non-<strong>root</strong> user account with <code>sudo</code> privileges set up on your system. You can learn how to do this by following the <ahref="https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-22-04">Ubuntu 22.04 initial server setup tutorial</a>. You will also need the Nginx server installed and hosting your domain. You can learn how to do this with the <ahref="https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-22-04">How To Install Nginx on Ubuntu 22.04 tutorial</a>.</p>
<p>Additionally, having your Jenkins instance secured by SSL is very important. If is visible on the internet, you can secure it with Let’s Encrypt. You can learn how to do this with the <ahref="https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-22-04">How to Secure Nginx with Let’s Encrypt on Ubuntu 22.04 tutorial</a>.
As stated previously, this tutorial assumes that Jenkins is already installed. <ahref="https://www.digitalocean.com/community/tutorials/how-to-install-and-use-jenkins-on-ubuntu-12-04">This tutorial</a> will show you how to install Jenkins if necessary. You will probably need to switch to the root user for that article.</p>
<p>Here is what the final configuration might look like; the sections are broken down and briefly explained below. You can update or replace the existing config file, although you may want to make a backup copy first.</p>
<p>You will need to update the <^>server_name<^> and <code>proxy_redirect</code> lines with your own domain name. There is some additional Nginx magic going on as well that tells requests to be read by Nginx and rewritten on the response side to ensure the reverse proxy is working.</p>
<p>Save and close the file. If you used <code>nano</code>, you can do so by pressing <code>Ctrl + X</code>, <code>Y</code>, and then <code>Enter</code>.</p>
<p>After that, the proxying happens. It basically takes any incoming requests and proxies them to the Jenkins instance that is bound/listening to port 8080 on the local network interface. </p>
<strong>Note:</strong> If you’d like to learn more about proxying in Nginx, <ahref="https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-front-end-proxy-for-apache">this tutorial</a> has some good information about the Nginx proxy settings.
<p>A few quick things to point out here. If you don’t have a domain name that resolves to your Jenkins server, then the <^>proxy_redirect<^> statement above won’t function correctly without modification, so keep that in mind. Also, if you misconfigure the <^>proxy_pass<^> (by adding a trailing slash for example), you will get something similar to the following in your Jenkins Configuration page.</p>
<p><imgalt="Jenkins error: Reverse proxy set up is broken"src="https://assets.digitalocean.com/articles/nginx_jenkins/1.jpg"/></p>
<p>So, if you see this error, double-check your <^>proxy_pass<^> and <^>proxy_redirect<^> settings in the Nginx configuration!</p>
<p>For Jenkins to work with Nginx, we need to update the Jenkins config to listen only on the localhost address instead of all (0.0.0.0), to ensure traffic gets handled properly. This is an important security step because if Jenkins is still listening on all addresses, then it will still potentially be accessible via its original port (8080). We will modify the <^>/etc/default/jenkins<^> configuration file to make these adjustments.</p>
<p>If you are using the GitHub or another OAuth plugin for authentication, it will probably be broken at this point. For example, when attempting to visit the URL, you will get a “Failed to open page” with a URL similar to <code>http://jenkins.domain.com:8080/securityRealm/finishLogin?code=random-string</code>.</p>
<p>To fix this you will need to update a few settings within Jenkins, including your OAuth plugin settings. First update the Jenkins URL in the Jenkins GUI; it can be found in the <strong>Jenkins -> Manage Jenkins -> Configure System -> Jenkins Location</strong> menu.</p>
<p>Next, update your OAuth settings with the external provider. This example is for GitHub. On GitHub, this can be found under <strong>Settings -> Applications -> Developer applications</strong>, on the GitHub site.</p>
<p>There should be an entry for Jenkins. Update the <strong>Homepage URL</strong> and <strong>Authorization callback URL</strong> to reflect the HTTPS settings. It might look similar to the following:</p>
<p><imgalt="Jenkins settings on GitHub; https:// has been used with both URLs"src="https://assets.digitalocean.com/articles/nginx_jenkins/3.jpg"/></p>
<h3id="conclusion">Conclusion</h3>
<p>The only thing left to do is verify that everything worked correctly. As mentioned above, you should now be able to browse to your newly configured URL - <^>jenkins.domain.com<^> - over either HTTP or HTTPS. You should be redirected to the secure site, and should see some site information, including your newly updated SSL settings. As noted previously, if you are not using hostnames via DNS, then your redirection may not work as desired. In that case, you will need to modify the <^>proxy_pass<^> section in the Nginx config file.</p>