Configuring HTTPS for Jenkins on the All-in-One Server

In my last blog post I registered a new domain name and installed a Let’s Encrypt certificate to configure HTTPS, but now I reconfigured it so Jenkins would be secured too and could be reached on https://imade-aserver.xyz/jenkins.

Updating the config file for HTTP

I used the Jenkins documentation to configure Jenkins to work with HTTPS. The config file I created when installing Apache needs to be updated to redirect all traffic to https:

sudo nano /etc/apache2/sites-available/imade-aserver.xyz.conf
<VirtualHost *:80>
    ServerName imade-aserver.xyz
    Redirect permanent / https://imade-aserver.xyz/
</VirtualHost>

Updating the config file for HTTPS

There is actually a separate config file for the https portion of the VirtualHost configuration:

sudo nano /etc/apache2/sites-available/imade-aserver.xyz-le-ssl.conf
<IfModule mod_ssl.c>
	<VirtualHost *:443>
	    ServerAdmin webmaster@localhost
	    ServerName imade-aserver.xyz
	    ServerAlias www.imade-aserver.xyz
	    ProxyPreserveHost On
	    ProxyRequests Off
	    AllowEncodedSlashes NoDecode
	
	    <Proxy *>
	      Order deny,allow
	      Allow from all
	    </Proxy>
	
	    ProxyPass /jenkins http://127.0.0.1:8080/jenkins nocanon
	    ProxyPassReverse /jenkins http://127.0.0.1:8080/jenkins
	    ProxyPassReverse /jenkins http://imade-aserver.xyz/jenkins
	
	    ProxyPass / http://127.0.0.1:3000/
	    ProxyPassReverse / http://127.0.0.1:3000/
	    ErrorLog ${APACHE_LOG_DIR}/error.log
	    CustomLog ${APACHE_LOG_DIR}/access.log combined
	
	    Include /etc/letsencrypt/options-ssl-apache.conf
	    SSLCertificateFile /etc/letsencrypt/live/imade-aserver.xyz/fullchain.pem
	    SSLCertificateKeyFile /etc/letsencrypt/live/imade-aserver.xyz/privkey.pem
	</VirtualHost>
</IfModule>

After making changes to the Apache configuration I had to restart Apache:

sudo systemctl restart apache2

Update the Jenkins arguments

The jenkins arguments needed to be updated to listen to requests from localhost and configure it to be located at the subdirectory /jenkins.

sudo nano /etc/default/jenkins

This is only the very last argument, I left the rest of the file as default:

JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1 --prefix=/jenkins

After making changes to the Jenkins configuration I also had to restart Jenkins:

sudo systemctl restart jenkins

Configure Jenkins’ location in its own settings

I went to Jenkins > Manage Jenkins > Configure System and updated the location to be the subdirectory:

Jenkins Location

Delete the firewall rule for port 8080

Now that I’m accessing Jenkins from behind the apache firewall, I don’t want the default jenkins port to be exposed anymore so I deleted the ufw rule.

sudo ufw delete allow 8080
sudo ufw status
			Status: active
			
			To                         Action      From
			--                         ------      ----
			OpenSSH                    ALLOW       Anywhere
			Apache Full                ALLOW       Anywhere
			OpenSSH (v6)               ALLOW       Anywhere (v6)
			Apache Full (v6)           ALLOW       Anywhere (v6)

Accessing the Node-App and Jenkins

After the above configuration I can now access the Node App at: https://imade-aserver.xyz and jenkins at https://imade-aserver.xyz/jenkins and if I try accessing either of them through standard HTTP it will redirect to HTTPS. It also works at www.imade-aserver.xyz!

Avoiding the Jenkins “Reverse Proxy is Broken” error

So after setting up the above I got an error message It appears that your reverse proxy setup is broken:

Reverse Proxy is Broken

I found from this link that I needed to add the RequestHeader parameters to the /etc/apache2/sites-available/imade-aserver.xyz-le-ssl.conf file, here is the completed file:

<IfModule mod_ssl.c>
	<VirtualHost *:443>
	    ServerAdmin webmaster@localhost
	    ServerName imade-aserver.xyz
	    ServerAlias www.imade-aserver.xyz
	    ProxyPreserveHost On
	    ProxyRequests Off
	    AllowEncodedSlashes NoDecode
	
	    <Proxy *>
	      Order deny,allow
	      Allow from all
	    </Proxy>
	
	    ProxyPass /jenkins http://127.0.0.1:8080/jenkins nocanon
	    ProxyPassReverse /jenkins http://127.0.0.1:8080/jenkins
	    ProxyPassReverse /jenkins http://imade-aserver.xyz/jenkins
	
	    ProxyPass / http://127.0.0.1:3000/
	    ProxyPassReverse / http://127.0.0.1:3000/
	    ErrorLog ${APACHE_LOG_DIR}/error.log
	    CustomLog ${APACHE_LOG_DIR}/access.log combined
	
	    Include /etc/letsencrypt/options-ssl-apache.conf
	    SSLCertificateFile /etc/letsencrypt/live/imade-aserver.xyz/fullchain.pem
	    SSLCertificateKeyFile /etc/letsencrypt/live/imade-aserver.xyz/privkey.pem

	    RequestHeader set X-Forwarded-Proto "https"
	    RequestHeader set X-Forwarded-Port "443"
	</VirtualHost>
</IfModule>

Now there are no errors in Jenkins and I can access both Jenkins and the Node-App over HTTPS!