How to restrict access to Jenkins according the IP and user in a LAN?

Using Jenkins
1

Hello Friends

Consider a LAN with few machines. To make it simple just as follows:

  • 192.168.1.10
  • 192.168.1.11
  • 192.168.1.12
  • 192.168.1.13

Where Jenkins is only installed at the 192.168.1.10 machine.

The situation is that currently the 192.168.1.11, 192.168.1.12 and 192.168.1.13 machines are able to:

  • Access and render the http://192.168.1.10:8080/ page
  • The Jenkins’ admin and custom users are able to do login at http://192.168.1.10:8080/login page

Now through Jenkins

  • Either by itself or plugin

Questions:

  1. How to restrict the remote access to the homepage?

In other words no one in the LAN can render the login’s page of the http://192.168.1.10:8080/ URL. Only do possible the login from the host itself ( 192.168.1.10)

  1. How to restrict the access to the login page according the IP?

For example for any user only from 192.168.1.11 and 192.168.1.12 but not from 192.168.1.13

  1. How to restrict the access to the login page according the IP and specific user?

For a better understanding consider two cases:

a. Do possible the login from the host itself (192.168.1.10) for the admin and alpha users
b. Do possible the login for the 192.168.1.1X ip for the admin and beta users

Is possible accomplish each goal?

Thanks in advance

2

So you’re going to have to investigate one of the many reverse proxy systems (nginx, caddy, traefik, apache) and learn how to set that up to do the things you’re asking, which are all entirely possible but out of scope of Jenkins itself.

Generally, the idea of standing up Jenkins is so that all of your developers can see what it’s working on. You can set up permissions within Jenkins as to what they can each do while they’re there, but everybody should be able to see the web ui, even if it only takes them to the login page.

(I was going to point you at the Jenkins Project’s own Jenkins UI, but that appears to have been locked down with a login page. Probably due to stupid AI bots scraping the poop out of it.)

3

How do the agents connect to the controller? Are those inbound agents using websockets? If yes then the agents must be able to access http://192.168.1.10:8080/, otherwise they will not be able to connect. If using ssh all should be good. If using jnlp, that at least the jnlp port must be accessible from the agents.

4

Thanks to you both for your replies

Ken

So you’re going to have to investigate one of the many reverse proxy systems (nginx, caddy, traefik, apache) and learn how to set that up to do the things you’re asking, which are all entirely possible but out of scope of Jenkins itself

Understood. Anyway I wrote the question just in case if Jenkins either by itself or plugin has that feature

Markus

How do the agents connect to the controller?

No agents involved yet. Consider the LAN with just 1 Jenkins server with special access as follows:

  • In the host itself with some restrictions according the user
  • Through the LAN itself with some restrictions according the IP and user

Are those inbound agents using websockets? If yes then the agents must be able to access http://192.168.1.10:8080/, otherwise they will not be able to connect. If using ssh all should be good. If using jnlp, that at least the jnlp port must be accessible from the agents.

I remember clearly the agents and SSH approaches but I don’t remember jnlp in Jenkins.
The other approach is Jenkins CLI (the .jar).

I want work with GUI and Terminal

I am going to research more

Thanks to all