TL;DR
In this post I will share several security tips for Jenkins and Nexus applications and how to put them both behind same nginx as reverse proxy.
Context
You have a limited budget of 60 us$/month and you need Jenkins and Nexus as part of your continuous integration CI environment.
Must have
As Jenkins can do a lot of “things” with your server, that means that hacker can do a lot of nasty things using your CI environment. Here is minimal security configuration that COULD help you to make hacker job not so easy.
Precondition knowledge
You know what is Jenkins, Nginx and Nexus
You need to have:
- Simple http authentication with strong passowrd
- nginx as reverse proxy that will terminate https
- real https certificate
Nexus and jenkins behind same nginx
Google offered nginx reverse proxy solutions for Jenkins and Nexus separated. So I needed to do add value and give back to the community this blog post.
Here is gist:
In this configuration, Jenkins will be available at /jenkins route, and nexus on /.
So you need to set up Jenkins to use /jenkins route by default. In `/etc/default/jenkins` at last line add --prefix option:
JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1 --prefix=/jenkins"
I could not find that option for nexus 3.0, so nexus was delivered at `/`
