recently I installed Jenkins server, and wanted to hide it behind Nginx proxy.
My Nginx proxy works fine and I read to restrict Jenkins to 127.0.0.1:8080
therefore, I edited the config file /etc/default/jenkins
and put below line of code:
JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=8080 --httpListenAddress=127.0.0.1"
After restarting jenkins, I still have access to Jenkins on port 8080
Environment:
Ubuntu 20.04
OpenJDK 11
Jenkins 2.332.1
Netstat output:
sudo netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 2313/java
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 970/nginx: master p
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 708/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 946/sshd: /usr/sbin
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 757/cupsd
tcp6 0 0 :::80 :::* LISTEN 970/nginx: master p
tcp6 0 0 :::22 :::* LISTEN 946/sshd: /usr/sbin
tcp6 0 0 ::1:631 :::* LISTEN 757/cupsd
P.S. I tried on EC2/Amazom linux 2, same issue
2
Answers
While it won’t hurt to restrict port 8080 in an AWS environment there really isn’t a reason to worry about it. You’ll want to setup a security group to your server so everything is blocked except for maybe port 22 (ssh), port 80 (http) and port 443 (https). You can do this through the AWS console.
To do this, go to the AWS console and select EC2 and then your instance. In the middle of the page is the "Security" tab. From there you can create a security group to determine what traffic you allow in and out.
In this way no one can connect to any ports that you don’t allow in. You’re not currently using https it looks like and so you may want to leave out port 443 until you’re ready.
As of Jenkins version 2.332.1, which you indicated you are running, Jenkins made the switch from running as a service using classic SysV init scripts over to fully integrating with systemd on Linux distributions that support it, which includes Ubuntu 20.04. I don’t see any signs that the systemd unit file for Jenkins ever parses
/etc/default/jenkins
, meaning those settings are only parsed by the SysV init script, which would explain why your configuration had no effect there.As you found, setting the environment variable in
/lib/systemd/system/jenkins.service
indeed works, but your instinct is absolutely correct that it is not best practice to directly edit the unit file managed by the packaging system. As with most things in Linux, the/etc
directory is where administrators are meant to put their configuration files, and/lib
and/usr/lib
are reserved for the package manager, so luckily systemd is no exception to this and provides a mechanism for such changes.Systemd has the concept of "drop-in" directories where you can place ".conf" files with partial systemd unit configurations whose directives will override those in the main unit file. From the systemd.unit man page:
Here’s how I set up Jenkins 2.332.1 on Ubuntu 20.04 using a systemd drop-in override to bind the listener to 127.0.0.1:
Verify Jenkins is running and listening on all addresses/interfaces:
Create a systemd drop-in directory for Jenkins:
Create an override file using your favorite editor. You can name it whatever you want as long as it has a
.conf
extension. Personally, I prefer something descriptive and to begin with a number so that I can control the lexicographic order in which the files are parsed, should I ever end up with multiple override files. Given that, I created a file/etc/systemd/system/jenkins.service.d/50-listen-address-override.conf
with the following content:Now, all we have to do is tell systemd that we made some changes we want it to reparse:
And we can restart Jenkins to give it its new config:
If we verify our work, we can now see that Jenkins is only bound to 127.0.0.1:
For what it’s worth, you can also use the command
systemctl edit jenkins
to create the override, and systemd will create the drop-in directory and override file automatically for you and drop you into your default editor to write the file contents, however it does not give you the freedom to choose your own name for the override file, giving it instead a generic name ofoverride.conf
.