From 664595525fd052b4b02d9a04e5e422e9b3e852f8 Mon Sep 17 00:00:00 2001 From: Birajit Saikia Date: Sat, 21 Dec 2024 16:30:06 +0530 Subject: [PATCH 1/4] added support for unix domain sockets in pomerium reverse proxy --- .../reverse-proxy-configuration-pomerium.adoc | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc b/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc index 73a5c0e55bcb..87e8b35f5919 100644 --- a/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc +++ b/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc @@ -296,3 +296,100 @@ For example: - You can build a policy that only allows users to access Jenkins at certain times of day or days of the week, or limit access to certain devices - You can import custom groups claims from your IdP and only allow access to members of the group + +== Configuring Pomerium with Unix Domain Sockets + +Starting from Jenkins version 2.452.1 , Jenkins supports Unix domain sockets. This can be particularly useful for improving security and performance. + +### Prerequisites + +Ensure that you have Pomerium installed and configured according to the [Pomerium documentation](https://www.pomerium.com/docs/). + +### Configuration Steps + +1. **Update Pomerium Configuration:** + + Add and update the following to your Pomerium configuration to enable Unix domain sockets: + + ```config.yaml + authenticate_service_url: https://authenticate.localhost.pomerium.io/oauth2/callback + + idp_provider: REPLACE_ME + idp_provider_url: REPLACE_ME + idp_client_id: REPLACE_ME + idp_client_secret: REPLACE_ME + + signing_key: REPLACE_ME + + routes: + - from: https://verify.localhost.pomerium.io + to: http://verify:8000 + pass_identity_headers: true + allow_websockets: true + policy: + - allow: + and: + - email: + is: user@example.com + - from: https://jenkins.localhost.pomerium.io + to: http://jenkins:8080 + host_rewrite_header: true + pass_identity_headers: true + policy: + - allow: + and: + - domain: + is: example.com + - user: + is: username + ``` + +2. **Configure Jenkins:** + + Ensure that Jenkins is configured to listen on the Unix domain socket. Update your Jenkins configuration as follows: + + ```docker-compose.yaml + networks: + main: {} + services: + pomerium: + image: pomerium/pomerium:latest + volumes: + - ./config.yaml:/pomerium/config.yaml:ro + - /var/run/jenkins.sock:/var/run/jenkins.sock + ports: + - 443:443 + networks: + main: + aliases: + - authenticate.localhost.pomerium.io + + verify: + networks: + main: {} + image: pomerium/verify:latest + expose: + - 8000 + + jenkins: + networks: + main: {} + image: jenkins/jenkins:lts-jdk11 + privileged: true + user: root + environment: + JAVA_OPTS: "-Djenkins.httpListenAddress=unix:/var/run/jenkins/jenkins.socket" + JENKINS_UNIX_DOMAIN_PATH: "/var/run/jenkins/jenkins.socket" + volumes: + - ./home/jenkins_compose/jenkins_configuration:/var/jenkins_home + - /var/run/docker.sock:/var/run/docker.sock + - /var/run/jenkins:/var/run/jenkins + ``` + +3. **Restart Services:** + + Restart both Jenkins and Pomerium to apply the new configuration. + +### Verification + +After restarting the services, verify that Jenkins is accessible through the Unix domain socket by navigating to your Jenkins URL (e.g., `https://jenkins.example.com`). From dc336913d862280b28fb50439189e69b7e1f8930 Mon Sep 17 00:00:00 2001 From: Birajit Saikia Date: Sat, 21 Dec 2024 19:28:27 +0530 Subject: [PATCH 2/4] Update reverse-proxy-configuration-pomerium.adoc --- .../reverse-proxy-configuration-pomerium.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc b/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc index 87e8b35f5919..61f947007397 100644 --- a/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc +++ b/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc @@ -311,7 +311,7 @@ Ensure that you have Pomerium installed and configured according to the [Pomeriu Add and update the following to your Pomerium configuration to enable Unix domain sockets: - ```config.yaml + ```yaml title=config.yaml authenticate_service_url: https://authenticate.localhost.pomerium.io/oauth2/callback idp_provider: REPLACE_ME @@ -348,7 +348,7 @@ Ensure that you have Pomerium installed and configured according to the [Pomeriu Ensure that Jenkins is configured to listen on the Unix domain socket. Update your Jenkins configuration as follows: - ```docker-compose.yaml + ```yaml title=docker-compose.yaml networks: main: {} services: From 14213dccabadce4ec420bcb99fa03ee696b981b1 Mon Sep 17 00:00:00 2001 From: Birajit Saikia Date: Sat, 21 Dec 2024 20:36:05 +0530 Subject: [PATCH 3/4] Updated reverse-proxy-configuration-pomerium.adoc --- .../reverse-proxy-configuration-pomerium.adoc | 160 +++++++++--------- 1 file changed, 80 insertions(+), 80 deletions(-) diff --git a/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc b/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc index 61f947007397..5805c77a71b1 100644 --- a/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc +++ b/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc @@ -307,88 +307,88 @@ Ensure that you have Pomerium installed and configured according to the [Pomeriu ### Configuration Steps -1. **Update Pomerium Configuration:** - - Add and update the following to your Pomerium configuration to enable Unix domain sockets: - - ```yaml title=config.yaml - authenticate_service_url: https://authenticate.localhost.pomerium.io/oauth2/callback - - idp_provider: REPLACE_ME - idp_provider_url: REPLACE_ME - idp_client_id: REPLACE_ME - idp_client_secret: REPLACE_ME - - signing_key: REPLACE_ME - - routes: - - from: https://verify.localhost.pomerium.io - to: http://verify:8000 - pass_identity_headers: true - allow_websockets: true - policy: - - allow: - and: - - email: - is: user@example.com - - from: https://jenkins.localhost.pomerium.io - to: http://jenkins:8080 - host_rewrite_header: true - pass_identity_headers: true - policy: - - allow: - and: - - domain: - is: example.com - - user: - is: username - ``` - -2. **Configure Jenkins:** - - Ensure that Jenkins is configured to listen on the Unix domain socket. Update your Jenkins configuration as follows: - - ```yaml title=docker-compose.yaml +## 1. Update Pomerium Configuration : + +Add and update the following to your Pomerium configuration to enable Unix domain sockets: + +```yaml +authenticate_service_url: https://authenticate.localhost.pomerium.io/oauth2/callback + +idp_provider: REPLACE_ME +idp_provider_url: REPLACE_ME +idp_client_id: REPLACE_ME +idp_client_secret: REPLACE_ME + +signing_key: REPLACE_ME + +routes: + - from: https://verify.localhost.pomerium.io + to: http://verify:8000 + pass_identity_headers: true + allow_websockets: true + policy: + - allow: + and: + - email: + is: user@example.com + - from: https://jenkins.localhost.pomerium.io + to: http://jenkins:8080 + host_rewrite_header: true + pass_identity_headers: true + policy: + - allow: + and: + - domain: + is: example.com + - user: + is: username +``` + +## 2. Configure Jenkins : + +Ensure that Jenkins is configured to listen on the Unix domain socket. Update your Jenkins configuration as follows: + +```yaml +networks: + main: {} +services: + pomerium: + image: pomerium/pomerium:latest + volumes: + - ./config.yaml:/pomerium/config.yaml:ro + - /var/run/jenkins.sock:/var/run/jenkins.sock + ports: + - 443:443 + networks: + main: + aliases: + - authenticate.localhost.pomerium.io + + verify: networks: main: {} - services: - pomerium: - image: pomerium/pomerium:latest - volumes: - - ./config.yaml:/pomerium/config.yaml:ro - - /var/run/jenkins.sock:/var/run/jenkins.sock - ports: - - 443:443 - networks: - main: - aliases: - - authenticate.localhost.pomerium.io - - verify: - networks: - main: {} - image: pomerium/verify:latest - expose: - - 8000 - - jenkins: - networks: - main: {} - image: jenkins/jenkins:lts-jdk11 - privileged: true - user: root - environment: - JAVA_OPTS: "-Djenkins.httpListenAddress=unix:/var/run/jenkins/jenkins.socket" - JENKINS_UNIX_DOMAIN_PATH: "/var/run/jenkins/jenkins.socket" - volumes: - - ./home/jenkins_compose/jenkins_configuration:/var/jenkins_home - - /var/run/docker.sock:/var/run/docker.sock - - /var/run/jenkins:/var/run/jenkins - ``` - -3. **Restart Services:** - - Restart both Jenkins and Pomerium to apply the new configuration. + image: pomerium/verify:latest + expose: + - 8000 + + jenkins: + networks: + main: {} + image: jenkins/jenkins:lts-jdk11 + privileged: true + user: root + environment: + JAVA_OPTS: "-Djenkins.httpListenAddress=unix:/var/run/jenkins/jenkins.socket" + JENKINS_UNIX_DOMAIN_PATH: "/var/run/jenkins/jenkins.socket" + volumes: + - ./home/jenkins_compose/jenkins_configuration:/var/jenkins_home + - /var/run/docker.sock:/var/run/docker.sock + - /var/run/jenkins:/var/run/jenkins +``` + +## 3. Restart Services : + +Restart both Jenkins and Pomerium to apply the new configuration. ### Verification From 5d01523d4705ada6d7af14a7ada0980c960df844 Mon Sep 17 00:00:00 2001 From: Birajit Saikia Date: Tue, 7 Jan 2025 00:50:51 +0530 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Kevin Martens <99040580+kmartens27@users.noreply.github.com> --- .../reverse-proxy-configuration-pomerium.adoc | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc b/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc index 5805c77a71b1..52cc78caaceb 100644 --- a/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc +++ b/content/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/reverse-proxy-configuration-pomerium.adoc @@ -297,19 +297,20 @@ For example: - You can build a policy that only allows users to access Jenkins at certain times of day or days of the week, or limit access to certain devices - You can import custom groups claims from your IdP and only allow access to members of the group -== Configuring Pomerium with Unix Domain Sockets +== Configuring Pomerium with Unix domain sockets -Starting from Jenkins version 2.452.1 , Jenkins supports Unix domain sockets. This can be particularly useful for improving security and performance. +Starting from Jenkins version 2.452.1, Jenkins supports Unix domain sockets. +This support is particularly useful for improving security and performance. ### Prerequisites -Ensure that you have Pomerium installed and configured according to the [Pomerium documentation](https://www.pomerium.com/docs/). +Ensure that you have Pomerium installed and configured according to the link:https://www.pomerium.com/docs[Pomerium documentation]. ### Configuration Steps ## 1. Update Pomerium Configuration : -Add and update the following to your Pomerium configuration to enable Unix domain sockets: +Update your Pomerium configuration to enable Unix domain sockets by adding the following content: ```yaml authenticate_service_url: https://authenticate.localhost.pomerium.io/oauth2/callback @@ -346,7 +347,7 @@ routes: ## 2. Configure Jenkins : -Ensure that Jenkins is configured to listen on the Unix domain socket. Update your Jenkins configuration as follows: +Ensure that Jenkins is configured to listen on the Unix domain socket by updating your Jenkins configuration as follows: ```yaml networks: