Yet more https for jenkins

2016-10-21 20:47:46 +00:00 · 2016-10-21 20:47:46 +00:00 · 236c0fd355
commit 236c0fd355
parent dafeb1279f
3 changed files with 52 additions and 1 deletions
--- a/roles/jenkins/master/files/jenkins.conf
+++ b/roles/jenkins/master/files/jenkins.conf
@ -66,6 +66,7 @@ JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true"
 # Set to -1 to disable
 #
 JENKINS_PORT="8080"
+JENKINS_LISTEN_ADDRESS="127.0.0.1"

 ## Type:        integer(0:65535)
 ## Default:     8009
--- a/roles/jenkins/master/tasks/main.yml
+++ b/roles/jenkins/master/tasks/main.yml
@ -126,3 +126,13 @@
  - jenkins/master
  - config

+- name: install jenkins httpd config
+  template: >
+    src="jenkins-httpd.conf.j2"
+    dest="/etc/httpd/conf.d/jenkins-httpd.conf"
+  notify:
+  - restart httpd
+  tags:
+  - jenkins
+  - jenkins/master
+  - config
--- a/roles/jenkins/master/templates/jenkins-httpd.conf.j2
+++ b/roles/jenkins/master/templates/jenkins-httpd.conf.j2
@ -0,0 +1,40 @@
+<VirtualHost *:80>
+  ServerName jenkins.fedorainfracloud.org
+  ServerAdmin webmaster@fedoraproject.org
+  TraceEnable Off
+
+  RewriteEngine on
+  RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
+  RewriteCond %{HTTPS} off
+  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
+
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName jenkins.fedorainfracloud.org
+  ServerAdmin webmaster@fedoraproject.org
+
+  SSLEngine on
+  SSLCertificateFile /etc/pki/tls/certs/jenkins.fedorainfracloud.org.cert
+  SSLCertificateKeyFile /etc/pki/tls/private/jenkins.fedorainfracloud.org.key
+  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert
+  SSLHonorCipherOrder On
+
+  # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
+  # If you change the protocols or cipher suites, you should probably update
+  # modules/squid/files/squid.conf-el6 too, to keep it in sync.
+  SSLProtocol {{ ssl_protocols }}
+  SSLCipherSuite {{ ssl_ciphers }}
+
+  RequestHeader set X-Forwarded-Scheme https early
+  RequestHeader set X-Scheme https early
+  RequestHeader set X-Forwarded-Proto https early
+
+  Alias /robots.txt /srv/web/robots.txt.jenkins.fedorainfracloud.org
+
+  ProxyPass / http://localhost:8080/ nocanon
+  ProxyPassReverse / http://localhost:8080/
+  ProxyRequests     Off
+  AllowEncodedSlashes NoDecode
+
+</VirtualHost>