Apache frontend for security

Hudson
Home
Downloads
Mailing lists
Source code
Issue tracker
#
Commercial Support
Documents
Meet Hudson
Use Hudson
Extend Hudson
Plugins
SCMs
Triggers
Build Tools
Build Wrappers
Notifiers
Reporters
Ext. Site Integration
Uploaders
Misc
Others
Container-specific Notes
Site Map
See Running Hudson behind Apache for general information about running Hudson on Apache. This page only covers the security aspect of it.

It is possible to use an apache in front of your tomcat instance that runs Hudson. You will need to compile apache-2.2 with mod_proxy enabled. The example below shows an invocation of apache-2.2 configure script with parameters that enable mod_proxy, mod_proxy_ajp, LDAP and SSL.

[ root@buildhost# ]sudo ./configure --enable-proxy \
--enable-ldap \
--enable-vhost \
--enable-ssl \
--enable-suexec \
--enable-rewrite \
--enable-proxy-ajp \
--enable-authnz-ldap \
--enable-mods-shared=all \
--with-ssl \
--with-ldap \
--with-ldap-include=/usr/include/ \
--prefix=/opt/apache/httpd-2.2.6

Edit the httpd-vhosts.conf file that resides in ${APACHE_HOME}/conf/extras to make apache aware of your tomcat server.

The location of the file is different depending on how/where you install Apache from

The example below shows a virtual host configuration for an apache that runs on the same machine as Hudson. Hudson here is configured to run an AJP connector on port 8102. This virtual host is also configured to rely on basic authentication (htpasswd) to protect certain resources, such as project(s) configuration, hudson management, and project(s) deletion. See the apache manual for examples of basic, and other, authentication scheme configuration.

<VirtualHost *:80>
    ServerAdmin your@email.address.com
    DocumentRoot "/opt/apache/httpd/htdocs"
    ServerName hudson.yourdomain.com
    ErrorLog "logs/hudson-error_log"

    ProxyPass /hudson/ ajp://127.0.0.1:8102/hudson/
    ProxyPassReverse /hudson/ ajp://127.0.0.1:8102/hudson/
    <Location />
        Order allow,deny
        Allow from all
    </Location>
    <Location /hudson/>
         AuthType basic
         AuthName "Hudson"
         AuthUserFile "/opt/apache/httpd/conf/.htpasswd"
    </Location>
</VirtualHost>

This approach is suitable if the access control need is simplistic (such as hiding Hudson from everyone but a few people), but it tends to break down if you start doing more complex set up (such as making Hudson visible to anonymous users but only allowing a few people to modify the settings.)

If you do access control in Apache, do not enable security in Hudson, as those two things will interfere with each other.

Running Hudson with AJP

Hudson can be then run as the following to only listen to AJP connection on port 8102 without any HTTP listener. The 127.0.0.1 address also ensures that the external hosts cannot directly talk to Hudson without going through Apache:

java -jar hudson.war --httpPort=-1 --ajp13Port=8102 --ajp13ListenAddress=127.0.0.1

If you are running Hudson inside a servlet container, refer to its documentation about how to prevent direct connection from outside to Hudson. For example, in Tomcat, this is done by setting the address attribute in the tomcat connector definition. See http://tomcat.apache.org/tomcat-5.5-doc/config/ajp.html#Standard%20Implementation. For above localhost setting, use address="127.0.0.1".

Labels:

Enter labels to add to this page:
Wait Image 
Looking for a label? Just start typing.