问题：我如何将Jenkins放在Nginx反向代理，并配置Let’s Encrypt SSL证书？
Jenkins是一个强大的开源自动化服务器，用于自动化重复任务，并紧固连续集成和应用程序。

此简短教程将讨论如何将Nginx配置为Jenkins服务器的反向代理。
假设是我们有一个工作的Jenkins服务器，但我们的教程可以是帮助设置Jenkins服务器。

第1步：安装nginx web服务器

我们需要首先在Linux发行版上安装nginx web服务器。
以下是在常见的Linux发行版上安装nginx的命令。

# CentOS/RHEL
$sudo yum -y install nginx vim
# Fedora
$sudo dnf -y install nginx vim
# Ubuntu/Debian
$sudo apt-get -y install nginx vim

第2步：安装Cerbot工具

接下来是安装用于获取Let的Encrypt SSL证书的CERTBOT工具的安装。
下载并安装 certbot-auto命令行工具。

curl -sL https://dl.eff.org/certbot-auto | sudo tee /usr/local/bin/certbot-auto

给脚本执行位。

sudo chmod +x /usr/local/bin/certbot-auto

检查是否工作：

$certbot-auto --version
certbot 0.33.1

被要求确认依赖项的安装时，应答"是"。

Dependencies Resolved
===========================================================================
 Package              Arch      Version                   Repository  Size
===========================================================================
Installing:
 augeas-libs          x86_64    1.4.0-6.el7_6.1           updates    355 k
 libffi-devel         x86_64    3.0.13-18.el7             base        23 k
 mod_ssl              x86_64    1:2.4.6-88.el7.centos     base       112 k
 python-devel         x86_64    2.7.5-76.el7              base       398 k
 python-tools         x86_64    2.7.5-76.el7              base       856 k
 python-virtualenv    noarch    15.1.0-2.el7              base       1.7 M
 python2-pip          noarch    8.1.2-8.el7               epel       1.7 M
 redhat-rpm-config    noarch    9.1.0-87.el7.centos       base        81 k
Installing for dependencies:
 dwz                  x86_64    0.11-3.el7                base        99 k
 libXft               x86_64    2.3.2-2.el7               base        58 k
 libXrender           x86_64    0.9.10-1.el7              base        26 k
 perl-srpm-macros     noarch    1-8.el7                   base       4.6 k
 tcl                  x86_64    1:8.5.13-8.el7            base       1.9 M
 tix                  x86_64    1:8.4.3-12.el7            base       254 k
 tk                   x86_64    1:8.5.13-6.el7            base       1.4 M
 tkinter              x86_64    2.7.5-76.el7              base       326 k
 zip                  x86_64    3.0-11.el7                base       260 k
Transaction Summary
===========================================================================
Install  8 Packages (+9 Dependent packages)
Total download size: 9.5 M
Installed size: 26 M
Is this ok [y/d/N]: y

第4步：请求Let’s Encrypt SSL认证

我们需要Jenkins Server使用的域或者子域的工作DNS。
在我的演示中，我正在使用 jenkins.theitroad.com。

我们还需要打开端口 80为了能够获得证书，但只有我们有一个活动防火墙。

# CentOS 7
$sudo firewall-cmd --add-service={http,https} --permanent
$sudo firewall-cmd --reload
# Ubuntu/Debian
$sudo ufw allow proto tcp from any to any port 80,443
$sudo ufw status

完成后，Let’s Encrypt 证书：

export DOMAIN="jenkins.example.com"
export ALERTS_EMAIL="Hyman@theitroad"
sudo systemctl stop nginx
sudo /usr/local/bin/certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $ALERTS_EMAIL --keep-until-expiring

示例

Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Plugins selected: Authenticator standalone, Installer None
 Obtaining a new certificate
 Performing the following challenges:
 http-01 challenge for jenkins.theitroad.com
 Waiting for verification…
 Cleaning up challenges
 IMPORTANT NOTES:
 Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/jenkins.theitroad.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/jenkins.theitroad.com/privkey.pem
 Your cert will expire on 2019-07-08. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot-auto
 again. To non-interactively renew all of your certificates, run
 "certbot-auto renew"
 Your account credentials have been saved in your Certbot
 configuration directory at /etc/letsencrypt. You should make a
 secure backup of this folder now. This configuration directory will
 also contain certificates and private keys obtained by Certbot so
 making regular backups of this folder is ideal.
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG/Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

第5步：配置nginx

为Jenkins创建一个nginx配置文件。

sudo vim /etc/nginx/conf.d/jenkins.conf

粘贴下面的文件。

################################################
# Jenkins Proxy configuration with SSL
#################################################
upstream jenkins {
  server 127.0.0.1:8080 fail_timeout=0;
}
 
server {
  listen 80;
  server_name jenkins.example.com;
  return 301 https://$host$request_uri;
}
 
server {
  listen 443 ssl;
  server_name jenkins.example.com;
 
  ssl_certificate /etc/letsencrypt/live/jenkins.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/jenkins.example.com/privkey.pem;
 
  location/{
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect http://https://;
    proxy_pass              http://jenkins;
    # Required for new HTTP-based CLI
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_buffering off; # Required for HTTP-based CLI to work over SSL
    # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
    add_header 'X-SSH-Endpoint' 'jenkins.example.com:50022' always;
  }
}

替换所有发生的 example.com使用正确的域名。
完成后，验证nginx配置。

$sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

如果配置看起来很好，请启动nginx并将其设置为在启动时启动。

sudo systemctl restart nginx
sudo systemctl enable nginx

第6步：访问Jenkins Web界面

访问Jenkins Web界面 http://jenkins.example.com。

jenkins仪表板应在登录后显示。