How to configure basic Jenkins HTTP authentication with Nginx?

Question

I have installed nginx and made follow host:

server {
  listen          80;       # Listen on port 80 for IPv4 requests

  server_name     jenkins.mydomain.ru;
  root            /var/lib/jenkins;

  access_log      /var/log/nginx/jenkins_access.log;
  error_log       /var/log/nginx/jenkins_error.log;

  location / {
      auth_basic            "Restricted";
      auth_basic_user_file  /etc/nginx/passwd/htpasswd;

      proxy_pass         http://127.0.0.1:8080/;
      proxy_redirect     off;

      proxy_set_header   Host             $host;
      proxy_set_header   X-Real-IP        $remote_addr;
      proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
      proxy_max_temp_file_size 0;

      client_max_body_size       10m;
      client_body_buffer_size    128k;

      proxy_connect_timeout      90;
      proxy_send_timeout         90;
      proxy_read_timeout         90;

      proxy_buffer_size          4k;
      proxy_buffers              4 32k;
      proxy_busy_buffers_size    64k;
      proxy_temp_file_write_size 64k;

      # Optional configuration to detect and redirect iPhones
      if ($http_user_agent ~* '(iPhone|iPod)') {
          rewrite ^/$ /view/iphone/ redirect;
      }
  }
}

After that I can access to Jenkinks in jenkins.mydomain.ru and it's require password. But I still can access to Jenkinks in http://mydomain.ru:8080/ without any password. How can I disallow access to Jenkinks in http://mydomain.ru:8080/?

Answer 1

Jenkins seems to be listening on port 8080, so nginx has no control over it -- you need to go to jenkins' config file and tell it to listen on 127.0.0.1 (local connections only), where I would guess that it's currently set to 0.0.0.0 (open to all)

Answer 2

You can restrict to which address Jenkins binds to by using --httpListenAddress (such as localhost). See: Starting and Accessing Jenkins and How can I get Jenkins to stop listening for remote connections?

On Linux this can be configured in JAVA_ARGS in /etc/default/jenkins file, but it may vary depending on your Linux distribution or operating system.

You can also consider using Reverse Proxy Auth plugin in order to delegate the authentication to the reverse proxy that you run in front of Jenkins.

Here are few extra notes:

• Make sure that clients cannot bypass the reverse proxy. If they can send requests directly to Jenkins, then a malicious client can send in arbitrary header name with arbitrary value, thus compromising the security of Jenkins
• Make sure you configure the reverse proxy to erase the header that you use to pass the authenticated user name. This prevents malicious client from setting the header name with arbitrary value, which would ruin the security.
• If your authorisation need is simple (for example, every valid user gets full access and everyone else gets no access), then you need not use this plugin, as you can do both authentication and authorisation in the reverse proxy.
• Hit http://yourserver/whoAmI to see the actual HTTP headers your Apache is sending to Jenkins. This is useful for trouble-shooting.

Answer 3

You could also run jenkins in a docker container and have full controll over the ports available. I connected 2 jenkins docker containers one being an nginx to reverse proxy over. the host machine had no access to the jenkins container, but through a url passed into the nginx that routed it over to the isolated container on the same docker network.