使用Nginx http auth保护Jenkins(回调URL除外) [英] Protect Jenkins with nginx http auth except callback url
问题描述
我在服务器上安装了jenkins,并希望通过nginx http auth保护它,以便请求:
I installed jenkins on my server and I want to protected it with nginx http auth so that requests to:
http://my_domain.com:8080
http://ci.my_domain.com
除一个位置外,将受到保护:
will be protected except one location:
http://ci.my_domain.com/job/my_job/build
需要触发构建.我是nginx的新手,所以我坚持使用nginx config.
needed to trigger build. I am kinda new to nginx so I stuck with nginx config for that.
upstream jenkins {
server 127.0.0.1:8080;
}
server {
listen x.x.x.x:8080;
server_name *.*;
location '/' {
proxy_pass http://jenkins;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
auth_basic "Restricted";
auth_basic_user_file /path/.htpasswd;
}
}
我尝试过类似上面的配置,但是当我访问http://my_domain.com:8080
时,没有http身份验证.
I tried smth like above config but when I visit http://my_domain.com:8080
there is no http auth.
推荐答案
最后,我弄清楚了如何解决此问题.首先,我们需要在管理Jenkins"页面上取消选中启用安全性"选项.在禁用安全性的情况下,我们可以使用诸如http://ci.your_domain.com/job/job_name/build
之类的请求来触发我们的工作.
Finally I figured out how to solve this problem. At first we need to uncheck "Enable security" option at Manage Jenkins page. With security disabled we can trigger our jobs with requests like http://ci.your_domain.com/job/job_name/build
.
如果要添加令牌来触发URL,我们需要启用安全性,然后选择基于项目的矩阵授权策略",并将管理"权限授予匿名用户.在项目的配置"页面上之后,将显示远程生成触发器"选项,您可以在其中指定令牌,以便您的请求看起来像JENKINS_URL/job/onru/build?token=TOKEN_NAME
If you want to add token to trigger URL we need to Enable Security, choose "Project-based Matrix Authorization Strategy" and give Admin rights to Anonymous user. After it in Configure page of your project will be "Trigger builds remotely" option where you can specify token so your request will look like JENKINS_URL/job/onru/build?token=TOKEN_NAME
因此,在禁用安全性的情况下,我们需要使用nginx http_auth来保护 http://ci.your_domain.com (网址除外)就像/job/job_name/build'
.
So with disabled security we need to protect http://ci.your_domain.com with nginx http_auth except urls like /job/job_name/build'
.
当然,我们需要对外部请求隐藏8080端口.由于服务器位于Ubuntu上,因此可以使用 iptables 防火墙:
And of course we need to hide 8080 port from external requests. Since my server is on Ubuntu I can use iptables firewall:
iptables -A INPUT -p tcp --dport 8080 -s localhost -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
但是!在ubuntu上(我不确定其他Linux操作系统),iptables在重启后会消失.因此,我们需要保存它们:
But! On ubuntu (I am not sure about other linux oses) iptables will disappear after reboot. So we need to save them with:
iptables-save
这还没有结束.使用此命令,我们只获得一个带有iptables的文件.在启动时,我们需要加载iptables,最简单的方法是使用"uptables-persistent"包:
And it is not the end. With this command we just get a file with iptables. On startup we need to load iptables and the easiest way is to use 'uptables-persistent' package:
sudo apt-get install iptables-persistent
iptables-save > /etc/iptables/rules
根据需要仔细查看iptables https://help.ubuntu.com/community/iptablesHowTo#Saving_iptables 和詹金斯(Jenkins)祝你好运!
Take a closer look at iptables if needed https://help.ubuntu.com/community/IptablesHowTo#Saving_iptables and good luck with Jenkins!
And there is good example for running jenkins on subdomain of your server: https://wiki.jenkins-ci.org/display/JENKINS/Running+Hudson+behind+Nginx
这篇关于使用Nginx http auth保护Jenkins(回调URL除外)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!