Hi, as part of the effort to harden configuration, I would like to have jenkins being behind a reverse proxy, as this bring a few benefits: - not having the ssl key sitting on the same server - switching to letsencrypt without upgrading the jenkins server - having logs in a place where they cannot be removed in case of compromise - being able to limit a bit more drastically the exposure of Jenking to the big bad internet - being able to deploy mod_security to protect from future XSS and stuff like this.
I spun a VM to do a test, and after a rather long fight against mod_proxy and all kind of ssl subtle issues, I won the fight and create a working vhost to test on https://build.proxy.gluster.org/ Could people give a try, it go to the same exact jenkins instance, but I want to make sure it work fine for most purposes. I also enabled mod_security in a non enforcing way, to be able to detect errors in advance, but as the format is rather sub optimal (there is chunk of data in key: value using a custom format, with one letter identified, and there is 2 logs files to look at, with pointer from one to the other to the config of several hundreds rules...), it may take a while to detect all errors before switching it to "on" and not just "detect only". Then, we will need to do a few things to actually get that in prod: - add a second bridge to the server for the purpose of connecting to a internal network - deciding what go on that network - add a 2nd interface to the VM - do some dns magic to switch traffic A few of this requires a downtime on the hypervisor and the guest, and requires IT involvment, so I can't have yet a ETA for completion. But I may do that during Christmas shutdown. And then, I will likely do the same for gerrit (ie, deploy it on the proxy, etc). -- Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gluster-infra mailing list Gluster-infra@gluster.org http://www.gluster.org/mailman/listinfo/gluster-infra
