「Jenkins」- 通过 Nginx 反向代理 Jenkins 服务

  CREATED BY JENKINSBOT

配置文件

参考 Running Jenkins behind Nginx 文档,以获取官方对反向代理的详细说明;

下面是配置文件(直接复制自官方,我们并未深入研究): 

upstream jenkins {
  keepalive 32; # keepalive connections
  server 127.0.0.1:8080; # jenkins ip and port
}

server {
  listen          80;       # Listen on port 80 for IPv4 requests

  server_name     jenkins.example.com;

  #this is the jenkins web root directory (mentioned in the /etc/default/jenkins file)
  root            /var/run/jenkins/war/;

  access_log      /var/log/nginx/jenkins/access.log;
  error_log       /var/log/nginx/jenkins/error.log;
  ignore_invalid_headers off; #pass through headers from Jenkins which are considered invalid by Nginx server.

  location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" {
    #rewrite all static files into requests to the root
    #E.g /static/12345678/css/something.css will become /css/something.css
    rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
  }

  location /userContent {
    #have nginx handle all the static requests to the userContent folder files
    #note : This is the $JENKINS_HOME dir
	root /var/lib/jenkins/;
    if (!-f $request_filename){
      #this file does not exist, might be a directory or a /**view** url
      rewrite (.*) /$1 last;
	  break;
    }
	sendfile on;
  }

  location / {
      sendfile off;
      proxy_pass         http://jenkins;
      proxy_redirect     default;
      proxy_http_version 1.1;

      proxy_set_header   Host              $host;
      proxy_set_header   X-Real-IP         $remote_addr;
      proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header   X-Forwarded-Proto $scheme;
      proxy_max_temp_file_size 0;

      #this is the maximum upload size
      client_max_body_size       10m;
      client_body_buffer_size    128k;

      proxy_connect_timeout      90;
      proxy_send_timeout         90;
      proxy_read_timeout         90;
      proxy_buffering            off;
      proxy_request_buffering    off; # Required for HTTP CLI commands in Jenkins > 2.54
      proxy_set_header Connection ""; # Clear for keepalive
  }

}

常见问题汇总

在反向代理后,出现 HTTP Basic authentication 重复认证

问题描述:
为了提高安全性,使用Nginx反向代理 Jenkins 后,又在 Nginx 中配置了 HTTP Basic Authentication 功能,但是出现了“认证窗口不停弹出”的问题。
关于 HTTP Basic Authentication 的配置参考 Restricting Access with HTTP Basic Authentication 一文。

问题原因:
使用 curl 命令请求(curl --user user:password http://),返回 401 认证失败页面,该页面是 Jenkins 返回的(页面上由 Jetty…… 等内容)。
修改 Jenkins 调试等级并打开访问日志,请求日志中出现了 401 认证失败的请求。
前端 Nginx 将 Authorization 请求头传给 Jenkins 服务,但是 Jenkins 并没有配置认证,而导致认证失败。
但实际上,我们并不需要把 Authorization 头传递给 Jenkins 服务。

解决办法:
修改Nginx配置文件,在转发时移除Authorization头:proxy_set_header Authorization "";
通过置空来移除头部,参考官方文档说明:「Module ngx_http_proxy_module/proxy_set_header

参考文献

Running Jenkins behind Nginx
Wikipedia/Basic access authentication
Hide a client request header with a Nginx reverse proxy server
How to define the basic HTTP authentication using cURL correctly?