Added support for Unix Domain Sockets in Pomerium Reverse Proxy #7772
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -296,3 +296,101 @@ For example: | |||||||||||||
|
|
||||||||||||||
| - You can build a policy that only allows users to access Jenkins at certain times of day or days of the week, or limit access to certain devices | ||||||||||||||
| - You can import custom groups claims from your IdP and only allow access to members of the group | ||||||||||||||
|
|
||||||||||||||
| == Configuring Pomerium with Unix domain sockets | ||||||||||||||
|
|
||||||||||||||
| Starting from Jenkins version 2.452.1, Jenkins supports Unix domain sockets. | ||||||||||||||
| This support is particularly useful for improving security and performance. | ||||||||||||||
|
|
||||||||||||||
| ### Prerequisites | ||||||||||||||
|
|
||||||||||||||
| Ensure that you have Pomerium installed and configured according to the link:https://www.pomerium.com/docs[Pomerium documentation]. | ||||||||||||||
|
|
||||||||||||||
| ### Configuration Steps | ||||||||||||||
|
|
||||||||||||||
| ## 1. Update Pomerium Configuration : | ||||||||||||||
|
Comment on lines
+309
to
+311
There was a problem hiding this comment.
Suggested change
Adjust header formatting to match the rest of the page, remove number from step to match rest of the page formatting, ensure the step is a smaller heading size than the Configuration Steps header. Adjust to use sentence case for header. If these are all steps to configure, they may not need their own headers. They can be listed under the configuration steps header with their respective order (1 -> 2 -> 3) or smaller headers if they have a bunch of information attached, but since steps 3 and 4 have only one sentence, using the steps as headers is unnecessary. There was a problem hiding this comment. Thanks Sir for the feedback. I’ll update the headers to be smaller and ensure they are consistent with the rest of the page, combining some of the steps to make the flow more natural. |
||||||||||||||
|
|
||||||||||||||
| Update your Pomerium configuration to enable Unix domain sockets by adding the following content: | ||||||||||||||
|
|
||||||||||||||
| ```yaml | ||||||||||||||
| authenticate_service_url: https://authenticate.localhost.pomerium.io/oauth2/callback | ||||||||||||||
|
|
||||||||||||||
| idp_provider: REPLACE_ME | ||||||||||||||
| idp_provider_url: REPLACE_ME | ||||||||||||||
| idp_client_id: REPLACE_ME | ||||||||||||||
| idp_client_secret: REPLACE_ME | ||||||||||||||
|
|
||||||||||||||
| signing_key: REPLACE_ME | ||||||||||||||
|
|
||||||||||||||
| routes: | ||||||||||||||
| - from: https://verify.localhost.pomerium.io | ||||||||||||||
| to: http://verify:8000 | ||||||||||||||
| pass_identity_headers: true | ||||||||||||||
| allow_websockets: true | ||||||||||||||
| policy: | ||||||||||||||
| - allow: | ||||||||||||||
| and: | ||||||||||||||
| - email: | ||||||||||||||
| is: [email protected] | ||||||||||||||
| - from: https://jenkins.localhost.pomerium.io | ||||||||||||||
| to: http://jenkins:8080 | ||||||||||||||
| host_rewrite_header: true | ||||||||||||||
| pass_identity_headers: true | ||||||||||||||
| policy: | ||||||||||||||
| - allow: | ||||||||||||||
| and: | ||||||||||||||
| - domain: | ||||||||||||||
| is: example.com | ||||||||||||||
| - user: | ||||||||||||||
| is: username | ||||||||||||||
| ``` | ||||||||||||||
|
|
||||||||||||||
| ## 2. Configure Jenkins : | ||||||||||||||
|
There was a problem hiding this comment.
Suggested change
Adjusting formatting to be aligned with the rest of the page/site. Again, if these steps are all part of the Configuration Steps header, they do not need to be their own separate headings and could just be listed steps underneath "Configuration Steps". |
||||||||||||||
|
|
||||||||||||||
| Ensure that Jenkins is configured to listen on the Unix domain socket by updating your Jenkins configuration as follows: | ||||||||||||||
|
|
||||||||||||||
| ```yaml | ||||||||||||||
| networks: | ||||||||||||||
| main: {} | ||||||||||||||
| services: | ||||||||||||||
| pomerium: | ||||||||||||||
| image: pomerium/pomerium:latest | ||||||||||||||
| volumes: | ||||||||||||||
| - ./config.yaml:/pomerium/config.yaml:ro | ||||||||||||||
| - /var/run/jenkins.sock:/var/run/jenkins.sock | ||||||||||||||
| ports: | ||||||||||||||
| - 443:443 | ||||||||||||||
| networks: | ||||||||||||||
| main: | ||||||||||||||
| aliases: | ||||||||||||||
| - authenticate.localhost.pomerium.io | ||||||||||||||
|
|
||||||||||||||
| verify: | ||||||||||||||
| networks: | ||||||||||||||
| main: {} | ||||||||||||||
| image: pomerium/verify:latest | ||||||||||||||
| expose: | ||||||||||||||
| - 8000 | ||||||||||||||
|
|
||||||||||||||
| jenkins: | ||||||||||||||
| networks: | ||||||||||||||
| main: {} | ||||||||||||||
| image: jenkins/jenkins:lts-jdk11 | ||||||||||||||
|
There was a problem hiding this comment. I would also be cautious to use lts-jdk11 as we do not support Java 11 any longer. If this documentation needs to be updated overall to use lts-jdk17 that can be a separate PR, but I would advise testing using a supported version. |
||||||||||||||
| privileged: true | ||||||||||||||
| user: root | ||||||||||||||
| environment: | ||||||||||||||
| JAVA_OPTS: "-Djenkins.httpListenAddress=unix:/var/run/jenkins/jenkins.socket" | ||||||||||||||
| JENKINS_UNIX_DOMAIN_PATH: "/var/run/jenkins/jenkins.socket" | ||||||||||||||
| volumes: | ||||||||||||||
| - ./home/jenkins_compose/jenkins_configuration:/var/jenkins_home | ||||||||||||||
| - /var/run/docker.sock:/var/run/docker.sock | ||||||||||||||
| - /var/run/jenkins:/var/run/jenkins | ||||||||||||||
| ``` | ||||||||||||||
|
|
||||||||||||||
| ## 3. Restart Services : | ||||||||||||||
|
There was a problem hiding this comment.
Suggested change
Adjusting formatting and capitalization for sentence case. This is very minimal content and would not need its own header section. This would fit better a listed step with the other steps underneath Configuration Steps. There was a problem hiding this comment. Thanks for pointing this out. I will remove the header for "Restart Services" and integrate it into the rest of the steps under "Configuration Steps." |
||||||||||||||
|
|
||||||||||||||
| Restart both Jenkins and Pomerium to apply the new configuration. | ||||||||||||||
|
|
||||||||||||||
| ### Verification | ||||||||||||||
|
|
||||||||||||||
| After restarting the services, verify that Jenkins is accessible through the Unix domain socket by navigating to your Jenkins URL (e.g., `https://jenkins.example.com`). | ||||||||||||||
|
Comment on lines
+394
to
+396
There was a problem hiding this comment.
Suggested change
Same suggestion for the header as above, I would format these into a list of steps instead of multiple headers, especially with the last two not having enough content to justify such formatting. In terms of the last part, avoid using e.g. when possible and if possible, the URL should be something used within the examples like https://jenkins.localhost.pomerium.io or http://jenkins:8080 based on the context. |
||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion to use the same type of formatting as elsewhere on the page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’ll update the header formatting for consistency with the rest of the document by changing it.