{"id":922,"date":"2015-04-06T10:14:18","date_gmt":"2015-04-06T08:14:18","guid":{"rendered":"http:\/\/www.h-hennes.fr\/blog\/?p=922"},"modified":"2015-04-06T10:14:18","modified_gmt":"2015-04-06T08:14:18","slug":"securiser-lacces-a-jenkins","status":"publish","type":"post","link":"https:\/\/www.h-hennes.fr\/blog\/2015\/04\/06\/securiser-lacces-a-jenkins\/","title":{"rendered":"S\u00e9curiser l’acc\u00e8s \u00e0 jenkins"},"content":{"rendered":"

Cet article fait suite \u00e0 l’article suivant : Mise en place d’une plateforme d’int\u00e9gration continue ( partie 2) <\/a><\/p>\n

Une fois jenkins install\u00e9, celui-ci est disponible pour tout le monde et par d\u00e9faut via l’ip de votre serveur sur le port 8080
\nEn tapant http:\/\/ip-de-votre-serveur:8080 , n’importe qui visualisera donc les projets jenkins.<\/p>\n

Pour s\u00e9curiser cela, nous allons mettre en place un reverse-proxy apache, qui communiquera avec le serveur jenkins.
\nNous pourrons ainsi mettre en place une authentification basique htaccess \/ htpassword pour limiter les acc\u00e8s.
\n( Cela n\u00e9cessite donc l’installation d’apache au pr\u00e9alable)<\/p>\n

Dans mon exemple, je souhaite que le sous-domaine http:\/\/ci.example.com<\/em> renvoie vers jenkins.
\n(Il faut donc au pr\u00e9alable faire pointer ce sous-domaine sur votre serveur )<\/p>\n

Configuration du proxy<\/strong><\/p>\n

Pour commencer il faut activer le mode proxy et proxy_http d’apache, en saisissant les commandes suivantes<\/p>\n

sudo a2enmod proxy\r\nsudo a2enmod proxy_http\r\n<\/pre>\n
Passons ensuite \u00e0 la cr\u00e9ation du fichier de notre vhost dans \/etc\/apache2\/sites-availables\/ cr\u00e9ons un fichier jenkins.conf
\nDans lequel nous allons mettre le contenu suivant<\/p>\n
<VirtualHost *:80>\r\nServerName ci.example.com\r\nProxyPass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\u00a0\u00a0 http:\/\/localhost:8080\/ nocanon\r\nProxyPassReverse \/\u00a0\u00a0 http:\/\/localhost:8080\/\r\nProxyPreserveHost on\r\nAllowEncodedSlashes NoDecode\r\n<Proxy *>\r\nOrder deny,allow\r\nAllow from all\r\n<\/Proxy>\r\n<\/VirtualHost>\r\n<\/pre>\n
activer le vhost<\/p>\n
sudo a2ensite jenkins\r\n<\/pre>\n
Pour finir red\u00e9marrer apache<\/p>\n
sudo service apache2 restart\r\n<\/pre>\n
Testez l’url http:\/\/ci.example.com<\/em> dans votre navigateur, et celle-ci doit bien renvoyer vers votre serveur jenkins.<\/p>\n
 <\/p>\n
S\u00e9curisation des acc\u00e8s.<\/strong><\/p>\n
Notre vhost est \u00e0 pr\u00e9sent en place, mais jenkins est toujours accessible sans restriction via les urls : http:\/\/ci.example.com<\/em> et http:\/\/ip-de-votre-serveur:8080<\/em><\/p>\n
Nous allons donc mettre en place une authentification avant l’affichage du domaine ci.example.com<\/p>\n
Notre fichier htacces sera situ\u00e9 dans \/home
\nCr\u00e9ons un utilisateur \u00ab\u00a0jenkins\u00a0\u00bb avec le mot de passe souhait\u00e9<\/p>\n
sudo htpasswd -c \/home\/.htpasswd jenkins<\/pre>\n
Puis il faut mettre \u00e0 jour le fichier de configuration apache pour prendre en compte cette restriction.<\/p>\n
ServerName ci.example.com\r\nProxyPass\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\u00a0\u00a0 http:\/\/localhost:8080\/ nocanon\r\nProxyPassReverse \/\u00a0\u00a0 http:\/\/localhost:8080\/\r\nProxyPreserveHost on\r\nAllowEncodedSlashes NoDecode\r\n<Proxy *>\r\nAuthType basic\r\nAuthName \"jenkins\"\r\nAuthBasicProvider file\r\nAuthUserFile \"\/home\/.htpasswd\"\r\nRequire valid-user\r\n<\/Proxy>\r\n<\/VirtualHost>\r\n<\/pre>\n
Recharger la configuration d’apache pour prendre en compte ces nouveaux param\u00e8tres.<\/p>\n
sudo service apache2 reload<\/pre>\n
Un mot de passe vous sera \u00e0 pr\u00e9sent demand\u00e9 pour acc\u00e9der \u00e0 l’adresse http:\/\/ci.example.com<\/em><\/p>\n
Nous allons maintenant limiter les acc\u00e8s \u00e0 jenkins uniquement depuis le localhost pour ne plus permettre d’y acc\u00e9der depuis l’adresse http:\/\/ip-de-votre-serveur:8080<\/em>
\nPour cela editer le fichier \/etc\/default\/jenkins\/<\/p>\n
sudo vim \/etc\/default\/jenkins<\/pre>\n
Dans la derni\u00e8re ligne JENKINS_ARGS rajouter l’option suivante : – -httpListenAddress=127.0.0.1
\nCe qui vous donnera par exemple la configuration suivante :<\/p>\n
JENKINS_ARGS=\"--webroot=$JENKINS_RUN\/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --httpListenAddress=127.0.0.1\"\r\n<\/pre>\n
Red\u00e9marrer jenkins<\/p>\n
sudo service jenkins restart<\/pre>\n
Vous pouvez \u00e0 pr\u00e9sent constater que jenkins n’est plus accessible depuis l’adresse\u00a0 http:\/\/ip-de-votre-serveur:8080 , mais uniquement depuis le sous-domaine.<\/p>\n
L’acc\u00e8s \u00e0 jenkins est donc uniquement possible depuis le sous-domaine pr\u00e9c\u00e9demment cr\u00e9\u00e9 et prot\u00e9g\u00e9 par un mot de passe.<\/p>\n","protected":false},"excerpt":{"rendered":"
Cet article fait suite \u00e0 l’article suivant : Mise en place d’une plateforme d’int\u00e9gration continue ( partie 2) Une fois jenkins install\u00e9, celui-ci est disponible pour tout le monde et par d\u00e9faut via l’ip de votre serveur sur le port 8080 En tapant http:\/\/ip-de-votre-serveur:8080 , n’importe qui visualisera donc les projets jenkins. Pour s\u00e9curiser cela, […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[254],"tags":[339,335,340],"class_list":["post-922","post","type-post","status-publish","format-standard","hentry","category-serveurs-dedies","tag-htacess","tag-jenkins","tag-reverse-proxy"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts\/922","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/comments?post=922"}],"version-history":[{"count":2,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts\/922\/revisions"}],"predecessor-version":[{"id":924,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/posts\/922\/revisions\/924"}],"wp:attachment":[{"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/media?parent=922"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/categories?post=922"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.h-hennes.fr\/blog\/wp-json\/wp\/v2\/tags?post=922"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}