1

My colleague has installed Jenkins on one of our test servers. When I access the server ip and port 8080, Jenkins is running i.e. 99.999.999.999:8080

I want to lock down the Jenkins application to the outside world and only have it available from internal IP addresses.

So I've setup a VirtualHost in apache as follows:

<VirtualHost *:80>
   ServerName jenkins.mytestserver.com
   ErrorLog logs/jenkins.mytestserver.com-error_log
   CustomLog logs/jenkins.mytestserver.com-access_log common

   #ProxyPass  /usr/share/tomcat6/webapps/ ajp://127.0.0.1:8080/usr/share/tomcat6/webapps/
   #ProxyPassReverse /usr/share/tomcat6/webapps/ ajp://127.0.0.1:8080/usr/share/tomcat6/webapps/
   #ProxyRequests Off

   ProxyPass / http://localhost:8080/ nocanon
   ProxyPassReverse / http://localhost:8080/
   ProxyRequests Off
   ProxyPreserveHost On

   <Location />
     order deny,allow
     deny from all
     Allow from 11.111.111.111 
   </Location>
</VirtualHost>

The Vhost works, I can access jenkins via jenkins.mytestserver.com and its blocked from the outside world.

How do I block the outside world from accessing it via 99.999.999.999:8080?

I have a feeling the way I have done the ReverseProxy above is not right as its just passing the request to http://localhost:8080/ which is just the same as http://99.999.999.999:8080

I've been referencing the following docs:

https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security

https://www.mulesoft.com/tcat/tomcat-connectors (I think the answer to my question is in this doc, but I can't figure it out).

Any help appreciated.

Regards, Stephen

Stephen
  • 195
  • 1
  • 3
  • 11
  • Why not use iptables to block all connections to port 8080 that are not from your internal network? – grag42 May 13 '15 at 15:47
  • @grag42 ok, that sounds like a good idea. I'm not that familiar with iptables, but I'll do a bit of digging and see if I can figure it out. – Stephen May 13 '15 at 15:54

2 Answers2

0

An easy way to block traffic with iptables

IPTables How TO is a pretty good how to

The basic idea for how to block would be

sudo iptables -A INPUT -s 192.168.x.x -p tcp --dport 8080 -j ACCEPT to all your network sudo iptables -A INPUT -p tcp --dport 8080 -j REJECT to reject all other networks

grag42
  • 431
  • 2
  • 5
  • Thanks for this @grag42, sorry for the late response, while I didn't quite get the rules working correctly, this gave me the idea to use the Amazon Web Console to lock things down. – Stephen May 21 '15 at 13:35
0

Since you proxy the traffic from the apache webserver to http://localhost:8080/, you can configure in the tomcat connector that it should bind to address=127.0.0.1 instead of the default behaviour which is to bind to all interfaces.

That way, only way in to your jenkins service is through your proxy (unless of course you connect from the same machine running jenkins)

If you want to include SSL in the configuration too, then you can also use the proxyPass, but for a port listening on 443, and put your SSL configuration in apache httpd too (and have a redirect from port 80 to 443).

Petter H
  • 3,383
  • 1
  • 14
  • 18