LogoOwlDocs
Jenkins

Jenkins Security

Learn essential ways to secure Jenkins with plugins and automation.

Securing Jenkins with Authentication

Securing Jenkins begins with strong authentication. Jenkins supports multiple authentication methods, including its built-in user database and integration with Active Directory.

Best Practices

  • Use Active Directory : Centralize authentication to improve security whenever possible.
  • Enforce Strong Passwords : Require strong password policies for all users.
  • Enable Single Sign-On (SSO) : Consider SSO for seamless and secure access.
  • Review User Accounts : Regularly update user accounts, removing unused or obsolete credentials.
  • Apply Least Privilege : Assign users only the permissions necessary for their tasks.

Strong authentication and least privilege are the first steps to securing Jenkins and reducing the risk of unauthorized access.

Enabling HTTPS

There are two main ways to enable HTTPS for Jenkins. In this guide, we'll focus on using an Nginx reverse proxy.

Install and Enable Nginx on Debian based :

Open a terminal and run:

sudo apt update
sudo apt install nginx
sudo systemctl enable nginx
sudo systemctl start nginx

This will install Nginx, enable it to start on boot, and start the service immediately.

Configure Nginx as a Reverse Proxy for Jenkins:

Edit the Nginx configuration file (e.g., /etc/nginx/sites-available/jenkins) and add the following:

server {
    listen 443 ssl;
    server_name jenkins.example.com;

    ssl_certificate /etc/letsencrypt/live/jenkins.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/jenkins.example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'HIGH:!aNULL:!MD5';

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Enable the site and reload Nginx:

sudo ln -s /etc/nginx/sites-available/jenkins /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

This sets up Nginx to forward requests to Jenkins running on port 8080.

Using Secure Plugins

There are several plugins that can make your Jenkins instance more secure. For example, here are three highly recommended security plugins :

  • Two-Factor Authentication : Adds a second verification step for user logins, improving account security.
  • Role-based Authorization : Lets you assign roles and permissions for precise access control.
  • Script Security : Limits risky Groovy scripts and requires admin approval to prevent vulnerabilities.

Selecting secure plugins like these helps protect your Jenkins environment from potential threats and exploits.

Jenkins as Code

Manage Jenkins configurations using code for automation and consistency.

Ansible

Next Page