akaron · November 10, 2020 15:36
diff --git a/jenkins b/jenkins
 # nginx configuration for a reverse proxy for an existing jenkins, with SSL enabled
 # modified from https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-nginx/
 # Steps:
 # 0. confirm jenkins is running; confirm a domain name is properly configured (apicat.xyz in this example)
 #    - for instance, add the domain in aws route 53 or DO domain
 #    - then add the NS record (aws or DO or others) back to where you register the domain (namecheap/godaddy/...)
 #    - this may take some time (at least several minutes)
 # 1. Put these config to nginx configuration (such as a new file in /etc/nginx/nginx-sites-enabled or append to /etc/nginx/nginx.conf)
 # 2. update config if necessary: jenkins ip and port, root directories, server_name.
 #   - run `sudo nginx -t` to verify the file
 #   - run `mkdir -p /var/log/nginx/jenkins/` to create the directory for logs
 # 3. Follow the instruction in https://certbot.eff.org/lets-encrypt to generate cert
 # 4. run `sudo nginx -t`, if no problem, run `sudo nginx -s reload`
 # 

 upstream jenkins {
  keepalive 32; # keepalive connections
  server 127.0.0.1:8080; # jenkins ip and port
 }

 # Required for Jenkins websocket agents
 map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
 }

 server {
  # listen          80;       # Listen on port 80 for IPv4 requests
  listen          443 ssl;

  server_name     apicat.xyz;

  # this is the jenkins web root directory
  # (mentioned in the /etc/default/jenkins file)
  root            /var/jenkins_home/war/;

  access_log      /var/log/nginx/jenkins/access.log;
  error_log       /var/log/nginx/jenkins/error.log;
  # pass through headers from Jenkins that Nginx considers invalid
  ignore_invalid_headers off;

  # only allow secure SSL protocols and ciphers
    ssl_certificate /etc/letsencrypt/live/apicat.xyz/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/apicat.xyz/privkey.pem; # managed by Certbot
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on; 
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
  #ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  # ssl_ciphers from https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_session_timeout 1d; 
  ssl_session_cache shared:SSL:50m;
  ssl_stapling on; 
  ssl_stapling_verify on; 
  add_header Strict-Transport-Security max-age=15768000;

  location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" {
    #rewrite all static files into requests to the root
    #E.g /static/12345678/css/something.css will become /css/something.css
    rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
  }

  location /userContent {
    # have nginx handle all the static requests to userContent folder
    #note : This is the $JENKINS_HOME dir
    root /var/jenkins_home/;
    if (!-f $request_filename){
      #this file does not exist, might be a directory or a /**view** url
      rewrite (.*) /$1 last;
      break;
    }
    sendfile on;
  }

  location / {
      sendfile off;
      proxy_pass         http://jenkins;
      proxy_redirect     default;
      proxy_http_version 1.1;

      # Required for Jenkins websocket agents
      proxy_set_header   Connection        $connection_upgrade;
      proxy_set_header   Upgrade           $http_upgrade;

      proxy_set_header   Host              $host;
      proxy_set_header   X-Real-IP         $remote_addr;

      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Host $server_name;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header X-Forwarded-Port 443;

      proxy_max_temp_file_size 0;

      #this is the maximum upload size
      client_max_body_size       10m;
      client_body_buffer_size    128k;

      proxy_connect_timeout      90;
      proxy_send_timeout         90;
      proxy_read_timeout         90;
      proxy_buffering            off;
      proxy_request_buffering    off; # Required for HTTP CLI commands
      proxy_set_header Connection ""; # Clear for keepalive
  }


 }
	# nginx configuration for a reverse proxy for an existing jenkins, with SSL enabled
	# modified from https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-nginx/
	# Steps:
	# 0. confirm jenkins is running; confirm a domain name is properly configured (apicat.xyz in this example)
	# - for instance, add the domain in aws route 53 or DO domain
	# - then add the NS record (aws or DO or others) back to where you register the domain (namecheap/godaddy/...)
	# - this may take some time (at least several minutes)
	# 1. Put these config to nginx configuration (such as a new file in /etc/nginx/nginx-sites-enabled or append to /etc/nginx/nginx.conf)
	# 2. update config if necessary: jenkins ip and port, root directories, server_name.
	# - run `sudo nginx -t` to verify the file
	# - run `mkdir -p /var/log/nginx/jenkins/` to create the directory for logs
	# 3. Follow the instruction in https://certbot.eff.org/lets-encrypt to generate cert
	# 4. run `sudo nginx -t`, if no problem, run `sudo nginx -s reload`
	#

	upstream jenkins {
	keepalive 32; # keepalive connections
	server 127.0.0.1:8080; # jenkins ip and port
	}

	# Required for Jenkins websocket agents
	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}

	server {
	# listen 80; # Listen on port 80 for IPv4 requests
	listen 443 ssl;

	server_name apicat.xyz;

	# this is the jenkins web root directory
	# (mentioned in the /etc/default/jenkins file)
	root /var/jenkins_home/war/;

	access_log /var/log/nginx/jenkins/access.log;
	error_log /var/log/nginx/jenkins/error.log;
	# pass through headers from Jenkins that Nginx considers invalid
	ignore_invalid_headers off;

	# only allow secure SSL protocols and ciphers
	ssl_certificate /etc/letsencrypt/live/apicat.xyz/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/apicat.xyz/privkey.pem; # managed by Certbot
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
	#ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	# ssl_ciphers from https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_stapling on;
	ssl_stapling_verify on;
	add_header Strict-Transport-Security max-age=15768000;

	location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" {
	#rewrite all static files into requests to the root
	#E.g /static/12345678/css/something.css will become /css/something.css
	rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
	}

	location /userContent {
	# have nginx handle all the static requests to userContent folder
	#note : This is the $JENKINS_HOME dir
	root /var/jenkins_home/;
	if (!-f $request_filename){
	#this file does not exist, might be a directory or a /view url
	rewrite (.*) /$1 last;
	break;
	}
	sendfile on;
	}

	location / {
	sendfile off;
	proxy_pass http://jenkins;
	proxy_redirect default;
	proxy_http_version 1.1;

	# Required for Jenkins websocket agents
	proxy_set_header Connection $connection_upgrade;
	proxy_set_header Upgrade $http_upgrade;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;

	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $server_name;
	proxy_set_header X-Forwarded-Proto https;
	proxy_set_header X-Forwarded-Port 443;

	proxy_max_temp_file_size 0;

	#this is the maximum upload size
	client_max_body_size 10m;
	client_body_buffer_size 128k;

	proxy_connect_timeout 90;
	proxy_send_timeout 90;
	proxy_read_timeout 90;
	proxy_buffering off;
	proxy_request_buffering off; # Required for HTTP CLI commands
	proxy_set_header Connection ""; # Clear for keepalive
	}


	}