Open port 443 (HTTPS) by running:
firewall-cmd --zone=public --add-port=443/tcp --permanent
In order to set up SSL/TLS, enroll the host on ca.cern.ch for automatic host certificate configuration. Under Configure Host Certificates Autoenrollment, enter the hostname of the machine and enable CERN Host (2 years).
Update the host's credentials by either signing in and out, or rebooting.
The SSL certificate can be installed using the following command:
This command will install the certificate on the host machine and print the location of the location of the public and private key.
Make Apache use the SSL certificate by editing the file( /etc/httpd/conf.d/ssl.conf:
Under Server Certificate and Server Private Key, set the location of the private and public key by uncommenting and editing the existing directives. After editing, they should look familiar to this:
Note that these paths has to be the same as specified by the output from cern-get-certificate.
Restart Apache to make changes take affect:
service httpd restart
Verify that SSL has been set up correctly by entering https://<hostname> in a browser.
SSO (Single Sign-On) with Shibboleth (Internet2)
This section describes how to set up Shibboleth for Apache globally, and how to expose a GitHub proxy url.
Make sure the host environment has the SELinux policy set to permissive by editing /etc/sysconfig/selinux. Replace SELINUX=enforcing with SELINUX=permissive. Reboot the host, or run the following command to make the changes take effect:
Enable automatic startup of Shibboleth on the host:
/bin/systemctl enable shibd
Copy following configuration files to the /etc/shibboleth/ directory:
edit /etc/shibboleth/shibboleth2.xml and replace ALL 5 occurences of somehost.cern.ch, with your system hostname:
- <Site id="1" name="somehost.cern.ch"/>
- <Host name="somehost.cern.ch"/>
- <ApplicationDefaults id="default" policyId="default" entityID="https://somehost.cern.ch/Shibboleth.sso/ADFS" homeURL="https://somehost.cern.ch" ....
Jenkins behind Apache
To properly set up Apache as a reverse-proxy towards Jenkins, AllowEncodedSlashes needs to be set to NoDecode. This can be done by adding the following line to /etc/httpd/conf.d/ssl.conf under <VirtualHost _default_:443> (Note this server will only be accessible through HTTPS):
Note that although directives enabled in the root configuration should apply to virtual host entries, AllowEncodedSlashes is an exception to this due to a bug.
Edit /etc/httpd/conf/httpd.conf and add the following lines at the end of the file (Make sure <hostname> is replaced with the machine hostname):
ProxyPass http://localhost:8080/ nocanon
Require shib-attr ADFS_GROUP "CERN Registered" "CERN Shared"
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
RequestHeader set Host "<hostname>"
RequestHeader set X-Forwarded-For ""
Header edit Location ^http://<hostname>/ https://<hostname>/
With exposed endpoint for GitHub
Edit /etc/httpd/conf/httpd.conf and add the following lines at the end of the file (Make sure <hostname> is replaced with the machine hostname and a random string is specified after webhook-proxy):
<Location /webhook-proxy-<random generated string>>
Allow from all
Restart Jenkins and Apache:
service httpd restart
service jenkins restart
In order to expose the web-hook that is accessible for GitHub, it should be secured using mod_security and mod_avalance:
yum install mod_evasive mod_security git
Under /etc/httpd/modsecurity.d/, clone the owasp-modsecurity-crs repo which contains default rules for mod_security:
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git --branch v2.2/master
Enable the default configuration:
cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf
ln -s /etc/httpd/modsecurity.d/modsecurity_crs_10_setup.conf activated_rules/modsecurity_crs_10_setup.conf
Enable default rules:
for f in `ls base_rules/` ; do sudo ln -s /etc/httpd/modsecurity.d/base_rules/$f activated_rules/$f ; done
Some rules have to be disabled in order to allow SSO to work and to allow GitHub to send messages. Under the base_rules folder (/etc/httpd/modsecurity.d/base_rules), edit these and comment out the following rules by placing # before each line under the subsequent rule description:
- modsecurity_crs_21_protocol_anomalies.conf: Missing/Empty Accept Header (line 37)
- modsecurity_crs_40_generic_attacks.conf: Heuristic Checks (line 31)
The Jenkins service should now be fully configured. Restart Apache to make changes take effect:
service httpd restart
Verify that Jenkins is accessible through
When entering https://<hostname>/webhook-proxy-<the random string specified in httpd.conf>/ you should get a HTTP 405: Method not allowed with a message saying "Method POST required".
Make sure that the GitHub plugin for Jenkins is installed on Jenkins by going to Manage Jenkins, Manage Plugins, then under the "Installed" tab, there should be a GitHub plugin listed. Otherwise install the plugin by going to the "Available" tab. When setting up the web-hook on GitHub, specify the HTTP endpoint to the webhook-proxy (https://<hostname>/webhook-proxy-<the random string specified in httpd.conf>/)
Administrative configuration can be done on the manage page of the Jenkins server.
Read access is given to all authenticated CERN accounts. Specific Jenkins accounts to create/start new projects are created by using the Jenkins' own user database.