What is best recommended way to enable https into Jenkins

Using Jenkins Ask a question
1

Jenkins Version:
Jenkins: 2.479.3
Operating System:
OS: Red Hat Enterprise Linux 9.5
Java Version:
Java: openjdk 17.0.13 2024-10-15 LTS

Question:
Jenkins installation completed on linux server. I would like to enable/configure HTTPS for Jenkins instance. I gone through various articles and found there are 2 ways to enable HTTPS for Jenkins (mentioned below). I wanted to know which is the best way and recommended way to do this.

  1. Apply certificates directly into Jenkins
    • Store JKS file, update environment variables in systemd jenkins.service file, restart jenkins
  2. Configure HTTPS Jenkins URL and Nginx Reverse Proxy withoug applying .jks certificate into jenkins service file
    • Configure Nginx to redirect http to https
    • uses SSL certificate in Nginx
    • configure jenkins to allow only local connection from nginx, block direct access to jenkins via http through firewall
2

I prefer method 2 using nginx to provide the SSL. This has been a much more stable and easy to implement method for me.

2 Likes
3

I prefer method 1. One less thing to setup for me. I don’t support http at all since years. Also I have a plugin (not public) that allows me to do SSO based on a client certificate (with AD plugin).

On the other hand I think with nginx it might be easier if you want to implement ACME to automatically renew the certificate.

In any case I strongly recommend to enable http2 (for method1 means you must set JENKINS_HTTP2_PORT instead of JENKINS_HTTPS_PORT)

for method2 you don’t need to block access via the firewall if you make Jenkins listen only on 127.0.0.1 (set JENKINS_HTTP2_LISTEN_ADDRESS)

1 Like
4

Thankyou Alex & Markus for the suggestion.

Based on the response, I understand there is no hard rule to follow specific method to enable https in jenkins. It is purely based on environment requirement. Is my understanding right? I just wanted to understand better what are the pros and cons before implementing it in production.

5

For me, personally, native TLS support with JKS file is simpler. And generating JKS these days is not so complicated. With additional parameters passed to OpenSSL you can do it without any Java tools:

openssl pkcs12 -export -inkey domaincert.key -in domaincert.crt -certfile ca_intermediates.pem -out /srv/jenkins/keystore.jks -name yourdomain -noiter -nomaciter

Create /srv/jenkins/startup.properties containing just the line:
httpsKeyStorePassword=yourJKSpassword

Now add the following to your /etc/systemd/system/jenkins.service.d/override.conf file:

Environment="JENKINS_PORT=-1"
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment="JENKINS_HTTPS_PORT=443"
Environment="JENKINS_HTTPS_KEYSTORE=/srv/jenkins/keystore.jks"
# Load keystore password from file to avoid it to be displayed in the process list
Environment="JENKINS_OPTS=--config=/srv/jenkins/startup.properties"

Works perfectly under RPM based Jenkins installation.

6

In any case I strongly recommend to enable http2

May I ask why? Is there a noticeable difference?

7

pages might load faster. And if you have a long list of users in your auth strategy you will probably notice that the user displayname resolution will work much faster
Also http2 is nowadays the standard

8

Thankyou all for your response. I had applied using method 2 (Nginx) based on my application environment. Working as expected.