3

I have a winstone server (Jenkins) listening on 8443. Jenkins has a valid cert, and Jenkins is doing the cert termination successfully:

JENKINS_ARGS="--httpPort=-1 --httpsKeyStore=/secure/jenkins.keystore --httpsKeyStorePassword=MY_PASSWORD --httpsPort=8443"

The only problem is that users now have to go: https://example.com:8443

I don't want that port number in the URL. I want:

https://example.com:8443 -> https://example.com
https://example.com      -> https://example.com
http://example.com       -> https://example.com

So I figure I'll run nginx on the same instance that is running Jenkins.

So my question is:

  1. Do I have to reconfigure jenkins to NOT do cert termination so that nginx does it only?
  2. Can nginx redirect 80 and 443 to localhost:8443 without a cert (Since Jenkins is doing cert termination)?
  3. Do BOTH nginx AND Jenkins need to do cert termination?

Sorry for those similar questions.

I'm pretty sure an AWS ELB cannot replace what nginx is doing here, but I thought I'd throw it out there, in case an ELB can solve this for me too.

grayaii
  • 2,241
  • 7
  • 31
  • 47

1 Answers1

5

1) No, you can have Nginx Stream the connection directly to the Jenkins using the Stream Module.

Do note this was added in 1.9.0 but is not part of the default build so you might have to build it yourself.

It works a lot like an http server block but you have to set it up outside of the http block.

stream {
    upstream jenkins_server {
        server jenkins:443;
    }

    server {
        listen 443;
        proxy_pass jenkins_server;
    }
}

2) You do not need a cert on nginx but you should have a http server block for port 80 that does a 301 to the 443 stream talked about in answer part 1.

server {
    listen 80;
    server_name your_server_name_here;
    return 301 https://$host$request_uri;
}

3) No, you don't as you can use the nginx stream to passthru the ssl from the client to the Jenkins server.

Shawn C.
  • 6,446
  • 3
  • 34
  • 38