[Gluster-infra] Testing reverse proxy for jenkins
Michael Scherer
mscherer at redhat.com
Wed Dec 14 13:14:41 UTC 2016
Hi,
as part of the effort to harden configuration, I would like to have
jenkins being behind a reverse proxy, as this bring a few benefits:
- not having the ssl key sitting on the same server
- switching to letsencrypt without upgrading the jenkins server
- having logs in a place where they cannot be removed in case of
compromise
- being able to limit a bit more drastically the exposure of Jenking to
the big bad internet
- being able to deploy mod_security to protect from future XSS and stuff
like this.
I spun a VM to do a test, and after a rather long fight against
mod_proxy and all kind of ssl subtle issues, I won the fight and create
a working vhost to test on https://build.proxy.gluster.org/
Could people give a try, it go to the same exact jenkins instance, but I
want to make sure it work fine for most purposes. I also enabled
mod_security in a non enforcing way, to be able to detect errors in
advance, but as the format is rather sub optimal (there is chunk of data
in key: value using a custom format, with one letter identified, and
there is 2 logs files to look at, with pointer from one to the other to
the config of several hundreds rules...), it may take a while to detect
all errors before switching it to "on" and not just "detect only".
Then, we will need to do a few things to actually get that in prod:
- add a second bridge to the server for the purpose of connecting to a
internal network
- deciding what go on that network
- add a 2nd interface to the VM
- do some dns magic to switch traffic
A few of this requires a downtime on the hypervisor and the guest, and
requires IT involvment, so I can't have yet a ETA for completion.
But I may do that during Christmas shutdown.
And then, I will likely do the same for gerrit (ie, deploy it on the
proxy, etc).
--
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.gluster.org/pipermail/gluster-infra/attachments/20161214/85931495/attachment.sig>
More information about the Gluster-infra
mailing list