One place for hosting & domains

      How To Configure Jenkins with SSL Using an Nginx Reverse Proxy on Ubuntu 20.04


      Not using Ubuntu 20.04?


      Choose a different version or distribution.

      Introduction

      By default, Jenkins comes with its own built-in Winstone web server listening on port 8080, which is convenient for getting started. It’s also a good idea, however, to secure Jenkins with SSL to protect passwords and sensitive data transmitted through the web interface.

      In this tutorial, you will configure Nginx as a reverse proxy to direct client requests to Jenkins.

      Prerequisites

      To begin, you’ll need the following:

      Step 1 — Configuring Nginx

      In the prerequisite tutorial How to Secure Nginx with Let’s Encrypt on Ubuntu 20.04, you configured Nginx to use SSL in the /etc/nginx/sites-available/example.com file. Open this file to add your reverse proxy settings:

      • sudo nano /etc/nginx/sites-available/example.com

      In the server block with the SSL configuration settings, add Jenkins-specific access and error logs:

      /etc/nginx/sites-available/example.com

      . . . 
      server {
              . . .
              # SSL Configuration
              #
              listen [::]:443 ssl ipv6only=on; # managed by Certbot
              listen 443 ssl; # managed by Certbot
              access_log            /var/log/nginx/jenkins.access.log;
              error_log             /var/log/nginx/jenkins.error.log;
              . . .
              }
      

      Next let’s configure the proxy settings. Since we’re sending all requests to Jenkins, we’ll comment out the default try_files line, which would otherwise return a 404 error before the request reaches Jenkins:

      /etc/nginx/sites-available/example.com

      . . .
                 location / {
                      # First attempt to serve request as file, then
                      # as directory, then fall back to displaying a 404.
                      # try_files $uri $uri/ =404;        }
      . . . 
      

      Let’s now add the proxy settings, which include:

      • proxy_params: The /etc/nginx/proxy_params file is supplied by Nginx and ensures that important information, including the hostname, the protocol of the client request, and the client IP address, is retained and available in the log files.
      • proxy_pass: This sets the protocol and address of the proxied server, which in this case will be the Jenkins server accessed via localhost on port 8080.
      • proxy_read_timeout: This enables an increase from Nginx’s 60 second default to the Jenkins-recommended 90 second value.
      • proxy_redirect: This ensures that responses are correctly rewritten to include the proper host name.

      Be sure to substitute your SSL-secured domain name for example.com in the proxy_redirect line below:

      /etc/nginx/sites-available/example.com

      Location /  
      . . .
                 location / {
                      # First attempt to serve request as file, then
                      # as directory, then fall back to displaying a 404.
                      # try_files $uri $uri/ =404;
                      include /etc/nginx/proxy_params;
                      proxy_pass          http://localhost:8080;
                      proxy_read_timeout  90s;
                      # Fix potential "It appears that your reverse proxy setup is broken" error.
                      proxy_redirect      http://localhost:8080 https://example.com;
      

      Once you’ve made these changes, save the file and exit the editor. We’ll hold off on restarting Nginx until after we’ve configured Jenkins, but we can test our configuration now:

      If all is well, the command will return:

      Output

      nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

      If not, fix any reported errors until the test passes.

      Note:
      If you misconfigure the proxy_pass (by adding a trailing slash, for example), you will get something similar to the following in your Jenkins Configuration page.

      Jenkins error: Reverse proxy set up is broken

      If you see this error, double-check your proxy_pass and proxy_redirect settings in the Nginx configuration.

      Step 2 — Configuring Jenkins

      For Jenkins to work with Nginx, you will need to update the Jenkins configuration so that the Jenkins server listens only on the localhost interface rather than on all interfaces (0.0.0.0). If Jenkins listens on all interfaces, it’s potentially accessible on its original, unencrypted port (8080).

      Let’s modify the /etc/default/jenkins configuration file to make these adjustments:

      • sudo nano /etc/default/jenkins

      Locate the JENKINS_ARGS line and add --httpListenAddress=127.0.0.1 to the existing arguments:

      /etc/default/jenkins

      . . .
      JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1"
      

      Save and exit the file.

      To use the new configuration settings, restart Jenkins:

      • sudo systemctl restart jenkins

      Since systemctl doesn’t display output, check the status:

      • sudo systemctl status jenkins

      You should see the active (exited) status in the Active line:

      Output

      ● jenkins.service - LSB: Start Jenkins at boot time Loaded: loaded (/etc/init.d/jenkins; generated) Active: active (exited) since Mon 2018-07-09 20:26:25 UTC; 11s ago Docs: man:systemd-sysv-generator(8) Process: 29766 ExecStop=/etc/init.d/jenkins stop (code=exited, status=0/SUCCESS) Process: 29812 ExecStart=/etc/init.d/jenkins start (code=exited, status=0/SUCCESS)

      Restart Nginx:

      • sudo systemctl restart nginx

      Check the status:

      • sudo systemctl status nginx

      Output

      ● nginx.service - A high performance web server and a reverse proxy server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-07-09 20:27:23 UTC; 31s ago Docs: man:nginx(8) Process: 29951 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, status=0/SUCCESS) Process: 29963 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Process: 29952 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS) Main PID: 29967 (nginx)

      With both servers restarted, you should be able to visit the domain using either HTTP or HTTPS. HTTP requests will be redirected automatically to HTTPS, and the Jenkins site will be served securely.

      Step 3 — Testing the Configuration

      Now that you have enabled encryption, you can test the configuration by resetting the administrative password. Let’s start by visiting the site via HTTP to verify that you can reach Jenkins and are redirected to HTTPS.

      In your web browser, enter http://example.com, substituting your domain for example.com. After you press ENTER, the URL should start with https and the location bar should indicate that the connection is secure.

      You can enter the administrative username you created in How To Install Jenkins on Ubuntu 20.04 in the User field, and the password that you selected in the Password field.

      Once logged in, you can change the password to be sure it’s secure.

      Click on your username in the upper-right-hand corner of the screen. On the main profile page, select Configure from the list on the left side of the page:

      Navigate to Jenkins password page

      This will take you to a new page, where you can enter and confirm a new password:

      Jenkins create password page

      Confirm the new password by clicking Save. You can now use the Jenkins web interface securely.

      Conclusion

      In this tutorial, you configured Nginx as a reverse proxy to Jenkins’ built-in web server to secure your credentials and other information transmitted via the web interface. Now that Jenkins is secure, you can learn how to set up a continuous integration pipeline to automatically test code changes. Other resources to consider if you are new to Jenkins are the Jenkins project’s “Creating your first Pipeline” tutorial or the library of community-contributed plugins.



      Source link

      How to Create an HTTP Proxy Using Squid on Ubuntu 18.04


      Updated by Rajakavitha Kodhandapani

      Written by Linode

      This guide will show you how to create your own HTTP proxy using Squid, a highly customizable proxy/cache application, on Ubuntu 18.04. An HTTP proxy acts as an intermediary between you and the internet. While connected to your Squid HTTP proxy, you will be able to:

      • Anonymously access internet services.
      • Bypass certain regional and local network restrictions.

      Note

      Install Squid

      1. Secure your Linode by completing the instructions in our guide on Securing Your Server, including adding a limited user account and configuring a firewall.

        Note

        This guide is written for a limited, non-root user. Commands that require elevated privileges are prefixed with sudo. If you are not familiar with the sudo command, you can check our Users and Groups guide.
      2. Ensure that your system is up-to-date:

        sudo apt-get update && sudo apt-get upgrade
        
      3. Install Squid using the apt software package manager:

        sudo apt-get install squid
        
      4. Copy the original configuration file to keep as a backup:

        sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.default
        

        Note

        The Squid configuration file includes comprehensive documentation in its commented lines, along with several uncommented rules that will remain active. These default rules should not be modified while you are following this guide. To gain a deeper understanding of Squid’s options and default settings, you can review the full configuration file.

      Configure Client Access

      Now that you have Squid installed on your Linode, you can configure ways for it to accept connections and serve as an HTTP proxy. The following sections provide different ways for your Squid HTTP proxy to authenticate client connections. You can configure Squid to use either or both authentication methods.

      IP Address Authentication

      A simple way to use Squid as an HTTP proxy is to use a client’s IP address for authentication.

      1. Edit the Squid configuration file and add the following lines at the beginning of the file:

        /etc/squid/squid.conf
        1
        2
        
        acl client src 192.0.2.0 # Home IP
        http_access allow client

        Replace client with a name that identifies the client computer that will connect to your Squid HTTP proxy, then replace 192.0.2.0 with the client computer’s IP address. You can also update the optional comment # Home IP to further describe the client.

      2. Alternatively, you can configure multiple clients by adding new acl lines to /etc/squid/squid.conf and including them in the http_access allow line as follows:

        /etc/squid/squid.conf
        1
        2
        3
        
        acl client1 src 192.0.2.0 # Home IP
        acl client2 src 192.0.2.1 # Work IP
        http_access allow client1 client2

        Replace client1 and client2 with names that identify the client computers, then replace 192.0.2.0 and 192.0.2.1 with their corresponding IP addresses. Update the optional comments # Home IP and # Work IP with accurate descriptions to help keep track of multiple clients. Access to the proxy is granted by adding the names defined by each acl to the http_access allow line.

      User/Password Authentication

      You can also configure your Squid HTTP proxy to accept authentication with usernames and passwords.

      1. Install htpasswd by installing the Apache utility programs. If you have installed Apache on your Linode, you will already have it and can skip this step.

        sudo apt-get install apache2-utils
        
      2. Create a file to store Squid users and passwords:

        sudo touch /etc/squid/squid_passwd
        
      3. Change ownership of the password file:

        sudo chown proxy /etc/squid/squid_passwd
        
      4. Create a username password pair, replacing user1 with the name of the user you’d like to add:

        sudo htpasswd /etc/squid/squid_passwd user1
        

        You will be prompted to create a password for this user:

          
        New password:
        Re-type new password:
        Adding password for user user1
        
        

        You can repeat this step at any time to create new users.

      5. Check the location of the nsca_auth file:

        sudo dpkg -L squid | grep ncsa_auth
        
      6. Edit the Squid configuration file and add the following lines at the beginning of the file:

        Note

        Ensure that you update /usr/lib/squid/basic_ncsa_auth below with the location of the nsca_auth file that you checked in the previous step.

        /etc/squid/squid.conf
        1
        2
        3
        
        auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
        acl ncsa_users proxy_auth REQUIRED
        http_access allow ncsa_users
      7. To remove a user’s access to the proxy, you must delete the corresponding entry in the squid_passwd file. Each user is represented in the file on a single line in the format of user:passwordhash:

        /etc/squid/squid_passwd
        1
        
        user1:$p948w3nvq3489v6npq396g user2:$q3cn478554387cq34n57vn

        If you are using Nano, the command Control+k will remove the entire line where the cursor rests.

        Once you’ve saved and exited the file, complete user removal by restarting Squid:

        sudo systemctl restart squid
        

      Combined Authentication

      You can combine authentication methods using the same acl definitions that you have added in the previous two sections by using a single http_access rule.

      1. Remove any previous http_access lines you have added.

      2. Edit the Squid configuration file so that the lines you have added at the beginning of the file follow this form:

        /etc/squid/squid.conf
        1
        2
        3
        4
        5
        
        acl client1 src 192.0.2.0 # Home IP
        acl client2 src 192.0.2.1 # Work IP
        auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
        acl ncsa_users proxy_auth REQUIRED
        http_access allow client1 client2 ncsa_users

        Note

        Take care to avoid using multiple http_access rules when combining authentication methods, as Squid will follow the rules in the order that they appear. By using a single http_access rule for your acl definitions, you will ensure that several authentication methods will apply to each client that attempts to connect to your Squid HTTP proxy.

      Anonymize Traffic

      Here, you will add rules to mask client IP addresses from the servers that receive traffic from you Squid HTTP proxy. Without these rules, the originating client IP addresses may be passed on through the X-Forwarded For HTTP header.

      Add the following lines at the beginning of the Squid configuration file:

      /etc/squid/squid.conf
       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      
      forwarded_for off
      request_header_access Allow allow all
      request_header_access Authorization allow all
      request_header_access WWW-Authenticate allow all
      request_header_access Proxy-Authorization allow all
      request_header_access Proxy-Authenticate allow all
      request_header_access Cache-Control allow all
      request_header_access Content-Encoding allow all
      request_header_access Content-Length allow all
      request_header_access Content-Type allow all
      request_header_access Date allow all
      request_header_access Expires allow all
      request_header_access Host allow all
      request_header_access If-Modified-Since allow all
      request_header_access Last-Modified allow all
      request_header_access Location allow all
      request_header_access Pragma allow all
      request_header_access Accept allow all
      request_header_access Accept-Charset allow all
      request_header_access Accept-Encoding allow all
      request_header_access Accept-Language allow all
      request_header_access Content-Language allow all
      request_header_access Mime-Version allow all
      request_header_access Retry-After allow all
      request_header_access Title allow all
      request_header_access Connection allow all
      request_header_access Proxy-Connection allow all
      request_header_access User-Agent allow all
      request_header_access Cookie allow all
      request_header_access All deny all

      Enable Connections

      Next, you will enable clients to connect to your Squid HTTP proxy.

      1. Save and exit the Squid configuration file.

      2. Restart Squid to enable the rules you have added:

        sudo systemctl restart squid
        
      3. Implement firewall rules to enable port 3128, which is the default service port used by Squid:

        sudo ufw allow 3128/tcp
        

        You can find more information on configuring firewall rules for Ubuntu in our guide on How to Configure a Firewall with UFW.

      Connect to your Squid HTTP Proxy

      Your Squid HTTP proxy is now ready to accept client connections and anonymously handle internet traffic.

      At this point, you can configure your local browser or operating system’s network settings to use your Linode as an HTTP proxy. The settings to do this will vary depending on your OS and browser. Instructions for certain OS and browser settings are located in the More Information section below.

      Generally, connecting to your Squid HTTP proxy requires the following information:

      • The IP address or domain name associated with your Linode.
      • The port that is being used by Squid. The default port is 3128.
      • A username and password if you have configured them for authentication.

      Once you have established your OS or browser settings, test the connection by pointing your browser at a website that tells you your IP address, such as:

      The result should display your Linode’s IP address instead of the IP address of your client computer.

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      This guide is published under a CC BY-ND 4.0 license.



      Source link

      How to Create an HTTP Proxy Using Squid on Debian 10


      Updated by Rajakavitha Kodhandapani

      Written by Linode

      This guide will show you how to create your own HTTP proxy using Squid, a highly customizable proxy/cache application, on Debian 10. An HTTP proxy acts as an intermediary between you and the internet. While connected to your Squid HTTP proxy, you will be able to:

      • Anonymously access internet services.
      • Bypass certain regional and local network restrictions.

      Note

      Install Squid

      1. Secure your Linode by completing the instructions in our guide on Securing Your Server, including adding a limited user account and configuring a firewall.

        Note

        This guide is written for a limited, non-root user. Commands that require elevated privileges are prefixed with sudo. If you are not familiar with the sudo command, you can check our Users and Groups guide.
      2. Ensure that your system is up-to-date:

        sudo apt-get update && sudo apt-get upgrade
        
      3. Install Squid using the apt software package manager:

        sudo apt-get install squid
        
      4. Copy the original configuration file to keep as a backup:

        sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.default
        

        Note

        The Squid configuration file includes comprehensive documentation in its commented lines, along with several uncommented rules that will remain active. These default rules should not be modified while you are following this guide. To gain a deeper understanding of Squid’s options and default settings, you can review the full configuration file.

      Configure Client Access

      Now that you have Squid installed on your Linode, you can configure ways for it to accept connections and serve as an HTTP proxy. The following sections provide different ways for your Squid HTTP proxy to authenticate client connections. You can configure Squid to use either or both authentication methods.

      IP Address Authentication

      A simple way to use Squid as an HTTP proxy is to use a client’s IP address for authentication.

      1. Edit the Squid configuration file and add the following lines at the beginning of the file:

        /etc/squid/squid.conf
        1
        2
        
        acl client src 192.0.2.0 # Home IP
        http_access allow client

        Replace client with a name that identifies the client computer that will connect to your Squid HTTP proxy, then replace 192.0.2.0 with the client computer’s IP address. You can also update the optional comment # Home IP to further describe the client.

      2. Alternatively, you can configure multiple clients by adding new acl lines to /etc/squid/squid.conf and including them in the http_access allow line as follows:

        /etc/squid/squid.conf
        1
        2
        3
        
        acl client1 src 192.0.2.0 # Home IP
        acl client2 src 192.0.2.1 # Work IP
        http_access allow client1 client2

        Replace client1 and client2 with names that identify the client computers, then replace 192.0.2.0 and 192.0.2.1 with their corresponding IP addresses. Update the optional comments # Home IP and # Work IP with accurate descriptions to help keep track of multiple clients. Access to the proxy is granted by adding the names defined by each acl to the http_access allow line.

      User/Password Authentication

      You can also configure your Squid HTTP proxy to accept authentication with usernames and passwords.

      1. Install htpasswd by installing the Apache utility programs. If you have installed Apache on your Linode, you will already have it and can skip this step.

        sudo apt-get install apache2-utils
        
      2. Create a file to store Squid users and passwords:

        sudo touch /etc/squid/squid_passwd
        
      3. Change ownership of the password file:

        sudo chown proxy /etc/squid/squid_passwd
        
      4. Create a username password pair, replacing user1 with the name of the user you’d like to add:

        sudo htpasswd /etc/squid/squid_passwd user1
        

        You will be prompted to create a password for this user:

          
        New password:
        Re-type new password:
        Adding password for user user1
        
        

        You can repeat this step at any time to create new users.

      5. Check the location of the nsca_auth file:

        sudo dpkg -L squid | grep ncsa_auth
        
      6. Edit the Squid configuration file and add the following lines at the beginning of the file:

        Note

        Ensure that you update /usr/lib/squid/basic_ncsa_auth below with the location of the nsca_auth file that you checked in the previous step.

        /etc/squid/squid.conf
        1
        2
        3
        
        auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
        acl ncsa_users proxy_auth REQUIRED
        http_access allow ncsa_users
      7. To remove a user’s access to the proxy, you must delete the corresponding entry in the squid_passwd file. Each user is represented in the file on a single line in the format of user:passwordhash:

        /etc/squid/squid_passwd
        1
        
        user1:$p948w3nvq3489v6npq396g user2:$q3cn478554387cq34n57vn

        If you are using Nano, the command Control+k will remove the entire line where the cursor rests.

        Once you’ve saved and exited the file, complete user removal by restarting Squid:

        sudo systemctl restart squid
        

      Combined Authentication

      You can combine authentication methods using the same acl definitions that you have added in the previous two sections by using a single http_access rule.

      1. Remove any previous http_access lines you have added.

      2. Edit the Squid configuration file so that the lines you have added at the beginning of the file follow this form:

        /etc/squid/squid.conf
        1
        2
        3
        4
        5
        
        acl client1 src 192.0.2.0 # Home IP
        acl client2 src 192.0.2.1 # Work IP
        auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd
        acl ncsa_users proxy_auth REQUIRED
        http_access allow client1 client2 ncsa_users

        Note

        Take care to avoid using multiple http_access rules when combining authentication methods, as Squid will follow the rules in the order that they appear. By using a single http_access rule for your acl definitions, you will ensure that several authentication methods will apply to each client that attempts to connect to your Squid HTTP proxy.

      Anonymize Traffic

      Here, you will add rules to mask client IP addresses from the servers that receive traffic from you Squid HTTP proxy. Without these rules, the originating client IP addresses may be passed on through the X-Forwarded For HTTP header.

      Add the following lines at the beginning of the Squid configuration file:

      /etc/squid/squid.conf
       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      
      forwarded_for off
      request_header_access Allow allow all
      request_header_access Authorization allow all
      request_header_access WWW-Authenticate allow all
      request_header_access Proxy-Authorization allow all
      request_header_access Proxy-Authenticate allow all
      request_header_access Cache-Control allow all
      request_header_access Content-Encoding allow all
      request_header_access Content-Length allow all
      request_header_access Content-Type allow all
      request_header_access Date allow all
      request_header_access Expires allow all
      request_header_access Host allow all
      request_header_access If-Modified-Since allow all
      request_header_access Last-Modified allow all
      request_header_access Location allow all
      request_header_access Pragma allow all
      request_header_access Accept allow all
      request_header_access Accept-Charset allow all
      request_header_access Accept-Encoding allow all
      request_header_access Accept-Language allow all
      request_header_access Content-Language allow all
      request_header_access Mime-Version allow all
      request_header_access Retry-After allow all
      request_header_access Title allow all
      request_header_access Connection allow all
      request_header_access Proxy-Connection allow all
      request_header_access User-Agent allow all
      request_header_access Cookie allow all
      request_header_access All deny all

      Enable Connections

      Next, you will enable clients to connect to your Squid HTTP proxy.

      1. Save and exit the Squid configuration file.

      2. Restart Squid to enable the rules you have added:

        sudo systemctl restart squid
        
      3. Implement firewall rules to enable port 3128, which is the default service port used by Squid:

        sudo ufw allow 3128/tcp
        

        You can find more information on configuring firewall rules for Debian in our guide on How to Configure a Firewall with UFW.

      Connect to your Squid HTTP Proxy

      Your Squid HTTP proxy is now ready to accept client connections and anonymously handle internet traffic.

      At this point, you can configure your local browser or operating system’s network settings to use your Linode as an HTTP proxy. The settings to do this will vary depending on your OS and browser. Instructions for certain OS and browser settings are located in the More Information section below.

      Generally, connecting to your Squid HTTP proxy requires the following information:

      • The IP address or domain name associated with your Linode.
      • The port that is being used by Squid. The default port is 3128.
      • A username and password if you have configured them for authentication.

      Once you have established your OS or browser settings, test the connection by pointing your browser at a website that tells you your IP address, such as:

      The result should display your Linode’s IP address instead of the IP address of your client computer.

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      This guide is published under a CC BY-ND 4.0 license.



      Source link