Question: How can I put Jenkins behind Nginx reverse proxy and Let’s Encrypt SSL certificate?. Jenkins is a powerful open source automation server built for automating repetitive tasks and to fasten continuous integration and delivery of Applications.

This short tutorial will discuss how you can configure Nginx to work as reverse Proxy for Jenkins server. The assumption is that you have a working Jenkins server, but our guides can be of help setting up Jenkins Server.

How to install Jenkins on CentOS 7, CentOS 8, Ubuntu, Arch Linux.

Step 1: Install Nginx web server

You need to start by installing Nginx Web server on your Linux Distribution. Here are the commands for installing Nginx on common Linux distributions.

# CentOS / RHEL
sudo yum -y install nginx vim

# Fedora
sudo dnf -y install nginx vim

# Ubuntu / Debian
sudo apt update
sudo apt install nginx vim

Step 2: Install Cerbot Certificate generation tool

Next is the installation of Certbot tool that is used to obtain Let’s Encrypt SSL certificate. Download and install certbot-auto command line tool.

# Ubuntu / Debian
sudo apt update
sudo apt install certbot
sudo apt install python3-certbot-nginx
# Python 2
sudo apt install python2-certbot-nginx

# Fedora
sudo dnf install certbot python2-certbot-nginx

# CentOS 8 / Rocky Linux 8
sudo dnf -y install epel-release
sudo yum -y install certbot python3-certbot-nginx
 
# CentOS 7
sudo yum -y install epel-release
sudo yum -y install certbot python2-certbot-nginx

Check if working:

$ certbot --version
certbot 0.40.0

Step 3: Configure Nginx for Jenkins Server

After installing Nginx web server we can start creating VirtualHost configuration file:

sudo vim /etc/nginx/conf.d/jenkins.conf

Paste and modify below configurations in the file created:

################################################
# Jenkins Nginx Proxy configuration
#################################################
upstream jenkins {
  server 127.0.0.1:8080 fail_timeout=0;
}

server {
  listen 80;
  server_name jenkins.example.com;

  location / {
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_pass              http://jenkins;
    # Required for new HTTP-based CLI
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_buffering off; # Required for HTTP-based CLI to work over SSL
  }
}

Replace:

  • jenkins.example.com with your Jenkins server domain name as configured in DNS server

Validate your Nginx configuration:

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Start nginx service if no syntax errors:

sudo systemctl enable --now nginx
sudo systemctl restart nginx

Step 4: Secure Jenkins Server With Let’s Encrypt SSL

You need a working DNS for the domain or subdomain used by the Jenkins server. In my demonstration, I’m using jenkins.computingforgeeks.com.

You also need to open port 80 to be able to get the certificate, but only if you have an active firewall.

# CentOS / Rocky Linux / RHEL / Fedora
sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reload


# Ubuntu / Debian
sudo ufw allow proto tcp from any to any port 80,443
sudo ufw status

Once that is done, get Let’s Encrypt Certificate. But first save required details:

  • Domain name
  • Email address that receive certificate expiry message
export DOMAIN="jenkins.example.com"
export ALERTS_EMAIL="[email protected]"

Then proceed to request Let’s Encrypt SSL certificate for your Jenkins Server:

sudo certbot --nginx --redirect -d $DOMAIN --preferred-challenges http --agree-tos -n -m $ALERTS_EMAIL --keep-until-expiring

Sample output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jenkins.example.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/jenkins.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/jenkins.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://jenkins.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=jenkins.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/jenkins.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/jenkins.example.com/privkey.pem
   Your cert will expire on 2021-10-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

This will automatically modify nginx configuration to include SSL settings and redirection of http traffic to https.

Automatically Renew Let’s Encrypt Certificates

Let’s Encrypt certificates expire after 90 days. Let’s add a cron job for automatic renewals.

sudo crontab -e

Add certbot command to run daily:

0 12 * * * /usr/bin/certbot renew --quiet

All installed certificates will be automatically renewed and reloaded.

Step 5: Access Jenkins Web Interface

Access Jenkins web interface on http://jenkins.example.com.

Jenkins login https

The Jenkins Dashboard should show after login.

jenkins over https ssl

You have successfully configured Nginx as Reverse proxy to Jenkins server with Let’s Encrypt SSL certificate.

Recommended Udemy Courses To Learn Jenkins:

Other Jenkins related Articles:

How to Manage Users and Roles in Jenkins

Running Jenkins Server in Docker Container with Systemd

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

LEAVE A REPLY

Please enter your comment!
Please enter your name here