資安業者Security Discovery最近在檢查網路上公開的Jenkins實例時,發現有個實例屬於美國奇異航空(GE Aviation),而且存放了原始碼、明文密碼、配置細節,以及該公司內部架構的各種私鑰,被知會的奇異航空當天就關閉了該實例,並坦承是因DNS配置錯誤所造成。ITHOME報導
那麼,老爺子Jenkins要怎麼上網呢?用撥接?我是習慣用nginx做前端Reverse Proxy。但是設定檔這次要用git做版本管理。
先看看我的.gitignore寫法
root@Bosley:/etc/nginx# cat .gitignore
*
!nginx.conf
!naxsi_core.rules
!fastcgi_params
!mime.types
!sites-available
!sites-available/**
!conf.d
!conf.d/**
!modules-available
!modules-available/**
好,直接把機器上/etc/nginx開始版控
root@Bosley:/etc/nginx# git init && git add . && git status
Initialized empty Git repository in /etc/nginx/.git/
On branch master
No commits yet
Changes to be committed:
(use "git rm --cached <file>..." to unstage)
new file: fastcgi_params
new file: mime.types
new file: naxsi_core.rules
new file: nginx.conf
new file: sites-available/Redirect_HTTPS
new file: sites-available/qnap-ssl
root@Bosley:/etc/nginx# git rm --cached sites-available/qnap-ssl# 暫不想提交這版本
# 預先在Github開一個空repo當目的
root@Bosley:/etc/nginx# git remote add origin git@github.com:August-Icekimo/nginx.conf.git
# 先下再上
root@Bosley:/etc/nginx# git pull origin master
From github.com:August-Icekimo/nginx.conf
* branch master -> FETCH_HEAD
# 填commit
root@Bosley:/etc/nginx# git commit -m "First Upload Version"
[master 9dff538] First Upload Version
5 files changed, 255 insertions(+)
create mode 100644 fastcgi_params
create mode 100644 mime.types
create mode 100644 naxsi_core.rules
create mode 100644 nginx.conf
create mode 100644 sites-available/Redirect_HTTPS
# push! harder!
root@Bosley:/etc/nginx# git push -u origin master
Counting objects: 8, done.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (8/8), 3.68 KiB | 198.00 KiB/s, done.
Total 8 (delta 0), reused 0 (delta 0)
To github.com:August-Icekimo/nginx.conf.git
6037caf..9dff538 master -> master
Branch 'master' set up to track remote branch 'master' from 'origin'.
root@Bosley:/etc/nginx#
再來你就可以胡亂編寫測試nginx,萬一搞掛了,就做個 git checkout
就找到回家的路了 ,不用七天 。
如果你以為等災難復原時是
# git clone git@github.com:August-Icekimo/nginx.conf
千萬不要啊,你在仔細想想就知道這樣會clone什麼鬼怪下來,多了一層目錄和一隻手一隻腳,讓你認不出來。但你把它加句點也是可以啦
怎麼辦?就是進去/etc/nginx然後做git init
到可以git pull
,就是災難被復原了。
真是江湖一點訣,說破不值錢。
繼續回到正題,我們來弄個SSL憑證
sudo acme.sh --config-home /etc/acme --force --debug --issue --domain jenkins.icekimo.idv.tw --standalone
然後我突然有個想法,我們來開個branch吧,這樣感覺好像是很大的企業集團,還有Branch的耶
root@Bosley:/etc/nginx# git branch bosley
root@Bosley:/etc/nginx# git status
On branch master
Your branch is up to date with 'origin/master'.
nothing to commit, working tree clean
root@Bosley:/etc/nginx# git checkout bosley
Switched to branch 'bosley'
root@Bosley:/etc/nginx# git status
On branch bosley
nothing to commit, working tree clean
root@Bosley:/etc/nginx# nginx -s stop
然後經過一番修改,寫好jenkins的nginx設定檔,準備存檔
root@Bosley:/etc/nginx# git add .
root@Bosley:/etc/nginx# git status
On branch bosley
Changes to be committed:
(use "git reset HEAD <file>..." to unstage)
modified: nginx.conf
new file: sites-available/jenkins-ssl
modified: sites-available/upstream_Bosley.conf
root@Bosley:/etc/nginx# git commit -m "Jenkins CI serve page"
[bosley 03e2431] Jenkins CI serve page
3 files changed, 49 insertions(+), 1 deletion(-)
create mode 100644 sites-available/jenkins-ssl
root@Bosley:/etc/nginx# git push
fatal: The current branch bosley has no upstream branch.
To push the current branch and set the remote as upstream, use
git push --set-upstream origin bosley
root@Bosley:/etc/nginx# git push --set-upstream origin bosley
Counting objects: 6, done.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.12 KiB | 87.00 KiB/s, done.
Total 6 (delta 3), reused 0 (delta 0)
remote: Resolving deltas: 100% (3/3), completed with 3 local objects.
remote:
remote: Create a pull request for 'bosley' on GitHub by visiting:
remote: https://github.com/August-Icekimo/nginx.conf/pull/new/bosley
remote:
To github.com:August-Icekimo/nginx.conf.git
* [new branch] bosley -> bosley
Branch 'bosley' set up to track remote branch 'bosley' from 'origin'.
root@Bosley:/etc/nginx#
真是美好的一天,我們把Jenkins加好HTTPS可以從外面安全的連線使用了。
等等,這日子好像過得有點快,我們順便把portainer.io一起設定完好了
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/acme/lab.icekimo.idv.tw/fullchain.cer;
ssl_certificate_key /etc/acme/lab.icekimo.idv.tw/lab.icekimo.idv.tw.key;
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
server_name lab.icekimo.idv.tw;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Via "nginx";
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_pass http://portainer_page;
break;
}
}
這樣再做個nginx -s reload
如果到github細看,就會注意到我把upstream集中在一個檔案,一次把服務組態地圖都講清楚了
然後個別檔案描述說明443上什麼名字(server name)是誰。
這樣的好處是可以一次把所有upstream定義完畢,然後只需要增加第二個HA的設定檔,在site-enalbled裡面更改連結,就會把hot standby的服務投入負載平衡中。