CentOS 7: Install Jenkins CI

Setting up Jenkins

Install Prerequisites

yum install -y epel-release unzip vim wget git

Install openJDK

yum -y install java-1.8.0-openjdk java-1.8.0-openjdk-devel

Configure Java

# Setting up the default JDK
alternatives --config java
# Set JAVA_HOME by adding the following line at the bottom of /etc/bashrc
export JAVA_HOME=$(dirname $(dirname $(readlink $(readlink $(which javac)))))
# Get the updated JAVA_HOME into current shell
source /etc/bashrc
# Check the JAVA version
java -version

Install Jenkins

# Download Jenkins repository file
wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins-ci.org/redhat-stable/jenkins.repo
# Import Jenkins GPG key
rpm --import https://jenkins-ci.org/redhat/jenkins-ci.org.key
# Install Jenkins
yum install -y jenkins

Configure Jenkins

# Change JENKINS_LISTEN_ADDRESS in /etc/sysconfig/jenkins as follows
# in order to stop listning for remote connections
JENKINS_LISTEN_ADDRESS="127.0.0.1"
# Force Jenkins to use a specific timezone
JENKINS_JAVA_OPTIONS="-Djava.awt.headless=true -Dfile.encoding=UTF8 -Dorg.apache.commons.jelly.tags.fmt.timeZone=Asia/Colombo -Duser.timezone=Asia/Colombo"

Start and Enable Jenkins

systemctl start jenkins
systemctl enable jenkins

Setting up Nginx Reverse Proxy

Install Nginx

yum install -y nginx

Configure SSL

# Create SSL folder
mkdir /etc/nginx/ssl
# Generate custom DH parameters
openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048
# Create a Self-Signed SSL certificate for *.zone24x7.lk
openssl req -newkey rsa:2048 -nodes -keyout /etc/nginx/ssl/selfsign.key -x509 -days 365 -out /etc/nginx/ssl/selfsign.crt -subj "/C=LK/ST=WP/L=Colombo/O=Example (Private) Limited/CN=*.example.com"
# Restores default SELinux contexts
restorecon -RF /etc/nginx/ssl

Replace the content of /etc/nginx/nginx.conf with the following

# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Character set
charset utf-8;
# Required to prevent bypassing of DNS cache!!
resolver 127.0.0.1 ipv6=off;
# allow the server to close the connection after a client stops responding. Frees up socket-associated memory.
reset_timedout_connection on;
# Security Headers
server_tokens off;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header "X-Permitted-Cross-Domain-Policies" "master-only";
add_header "X-Download-Options" "noopen";
# Buffers
client_header_timeout 300;
client_body_timeout 300;
fastcgi_read_timeout 300;
client_max_body_size 32m;
fastcgi_buffers 8 128k;
fastcgi_buffer_size 128k;
# Compression
gzip on;
gzip_vary on;
gzip_comp_level 1;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/x-javascript
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/xml
text/plain
text/javascript
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
}

Create /etc/nginx/conf.d/jenkins.conf file with the following

server {
listen 80 default_server;
server_name jenkins.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
server_name jenkins.example.com;
client_max_body_size 10G;
# optimize downloading files larger than 1G
proxy_max_temp_file_size 2048M;
ssl_certificate /etc/nginx/ssl/selfsign.crt;
ssl_certificate_key /etc/nginx/ssl/selfsign.key;
# openssl dhparam -out /etc/nginx/ssl/dhparams.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
access_log off;
error_log /var/log/nginx/jenkins.error.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 300;
}
}

SELinux policy to allow Nginx to connect to the network

setsebool -P httpd_can_network_connect 1

Start and Enable Nginx

systemctl start nginx
systemctl enable nginx

Open TCP port 80 and 443 through firewall

firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --reload