Jenkins Configuration and User Accounts

Firewall

Open port 443 (HTTPS) by running:

    firewall-cmd --zone=public --add-port=443/tcp --permanent
    firewall-cmd --reload

 

mod_ssl

In order to set up SSL/TLS, enroll the host on ca.cern.ch for automatic host certificate configuration. Under Configure Host Certificates Autoenrollmententer the hostname of the machine and enable CERN Host (2 years). 
Update the host's credentials by either signing in and out, or rebooting.
The SSL certificate can be installed using the following command:

    cern-get-certificate --autoenroll

​This command will install the certificate on the host machine and print the location of the location of the public and private key. 

Make Apache use the SSL certificate by editing the file( /etc/httpd/conf.d/ssl.conf:
Under Server Certificate and Server Private Key, set the location of the private and public key by uncommenting and editing the existing directives. After editing, they should look familiar to this:

    SSLCertificateFile /etc/pki/tls/certs/<hostname>.crt
    ...
    SSLCertificateKeyFile /etc/pki/tls/private/<hostname>.key

Note that these paths has to be the same as specified by the output from cern-get-certificate. 

Restart Apache to make changes take affect:

    service httpd restart

Verify that SSL has been set up correctly by entering https://<hostname> in a browser. 

 

SSO (Single Sign-On) with Shibboleth (Internet2)

 

This section describes how to set up Shibboleth for Apache globally, and how to expose a GitHub proxy url. 
Make sure the host environment has the SELinux policy set to permissive by editing /etc/sysconfig/selinux. Replace SELINUX=enforcing with SELINUX=permissive. Reboot the host, or run the following command to make the changes take effect: 

        /usr/sbin/setenforce Permissive

Enable automatic startup of Shibboleth on the host:

        /bin/systemctl enable shibd

Copy following configuration files to the /etc/shibboleth/ directory: 

 

edit /etc/shibboleth/shibboleth2.xml and replace ALL 5 occurences of somehost.cern.ch, with your system hostname:

  • <Site id="1" name="somehost.cern.ch"/>
  • <Host name="somehost.cern.ch"/>
  • <ApplicationDefaults id="default" policyId="default" entityID="https://somehost.cern.ch/Shibboleth.sso/ADFS" homeURL="https://somehost.cern.ch" ....
  • <saml:Audience>https://somehost.cern.ch/Shibboleth.sso/ADFS</saml:Audience>

 

Useful resources:

https://linux.web.cern.ch/linux/centos7/docs/shibboleth.shtml

 

Jenkins behind Apache

To properly set up Apache as a reverse-proxy towards Jenkins, AllowEncodedSlashes needs to be set to NoDecode. This can be done by adding the following line to /etc/httpd/conf.d/ssl.conf under <VirtualHost _default_:443> (Note this server will only be accessible through HTTPS):

AllowEncodedSlashes NoDecode

Note that although directives enabled in the root configuration should apply to virtual host entries, AllowEncodedSlashes is an exception to this due to a bug(link is external)

Edit /etc/httpd/conf/httpd.conf and add the following lines at the end of the file (Make sure <hostname> is replaced with the machine hostname):

<Location />
  SSLRequireSSL
  AuthType shibboleth
  ShibRequireSession On
  ShibExportAssertion Off
  ProxyPass http://localhost:8080/ nocanon
  ProxyPassReverse http://localhost:8080/
  Require valid-user
  Require shib-attr ADFS_GROUP "CERN Registered" "CERN Shared"
  RequestHeader set X-Forwarded-Proto "https"
  RequestHeader set X-Forwarded-Port "443"
  RequestHeader set Host "<hostname>"
  RequestHeader set X-Forwarded-For ""
  Header edit Location ^http://<hostname>/ https://<hostname>/
</Location>

 

With exposed endpoint for GitHub
Edit /etc/httpd/conf/httpd.conf and add the following lines at the end of the file (Make sure <hostname> is replaced with the machine hostname and a random string is specified after webhook-proxy):

<Location /webhook-proxy-<random generated string>>
  Order Allow,Deny
  Allow from all
  AuthType none
  Satisfy any

  ProxyPass           http://localhost:8080/github-webhook
  ProxyPassReverse    http://localhost:8080/github-webhook
</Location>


Restart Jenkins and Apache:

    service httpd restart
    service jenkins restart

In order to expose the web-hook that is accessible for GitHub, it should be secured using mod_security and mod_avalance:

yum install mod_evasive mod_security git

Under /etc/httpd/modsecurity.d/, clone the owasp-modsecurity-crs repo which contains default rules for mod_security:

    cd /etc/httpd/modsecurity.d/
    git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git --branch v2.2/master

Enable the default configuration:

    cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
    ln -s /etc/httpd/modsecurity.d/modsecurity_crs_10_setup.conf activated_rules/modsecurity_crs_10_setup.conf

Enable default rules:

    for f in `ls base_rules/` ; do sudo ln -s /etc/httpd/modsecurity.d/base_rules/$f activated_rules/$f ; done

Some rules have to be disabled in order to allow SSO to work and to allow GitHub to send messages. Under the base_rules folder (/etc/httpd/modsecurity.d/base_rules), edit these and comment out the following rules by placing # before each line under the subsequent rule description:

  • modsecurity_crs_21_protocol_anomalies.conf: Missing/Empty Accept Header (line 37)
  • modsecurity_crs_40_generic_attacks.conf: Heuristic Checks (line 31)

The Jenkins service should now be fully configured. Restart Apache to make changes take effect:

    service httpd restart

Verify that Jenkins is accessible through
https://<hostname>/
When entering https://<hostname>/webhook-proxy-<the random string specified in httpd.conf>/ you should get a HTTP 405: Method not allowed with a message saying "Method POST required". 

Make sure that the GitHub plugin for Jenkins is installed on Jenkins by going to Manage Jenkins, Manage Plugins, then under the "Installed" tab, there should be a GitHub plugin listed. Otherwise install the plugin by going to the "Available" tab. When setting up the web-hook on GitHub, specify the HTTP endpoint to the webhook-proxy (https://<hostname>/webhook-proxy-<the random string specified in httpd.conf>/)

Administrative configuration can be done on the manage page of the Jenkins server.

 

User accounts

 

Read access is given to all authenticated CERN accounts. Specific Jenkins accounts to create/start new projects are created by using the Jenkins' own user database

You are here