My colleague has installed Jenkins on one of our test servers. When I access the server ip and port 8080, Jenkins is running i.e. 99.999.999.999:8080
I want to lock down the Jenkins application to the outside world and only have it available from internal IP addresses.
So I've setup a VirtualHost in apache as follows:
<VirtualHost *:80>
ServerName jenkins.mytestserver.com
ErrorLog logs/jenkins.mytestserver.com-error_log
CustomLog logs/jenkins.mytestserver.com-access_log common
#ProxyPass /usr/share/tomcat6/webapps/ ajp://127.0.0.1:8080/usr/share/tomcat6/webapps/
#ProxyPassReverse /usr/share/tomcat6/webapps/ ajp://127.0.0.1:8080/usr/share/tomcat6/webapps/
#ProxyRequests Off
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
ProxyRequests Off
ProxyPreserveHost On
<Location />
order deny,allow
deny from all
Allow from 11.111.111.111
</Location>
</VirtualHost>
The Vhost works, I can access jenkins via jenkins.mytestserver.com and its blocked from the outside world.
How do I block the outside world from accessing it via 99.999.999.999:8080?
I have a feeling the way I have done the ReverseProxy above is not right as its just passing the request to http://localhost:8080/ which is just the same as http://99.999.999.999:8080
I've been referencing the following docs:
https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security
https://www.mulesoft.com/tcat/tomcat-connectors (I think the answer to my question is in this doc, but I can't figure it out).
Any help appreciated.
Regards,
Stephen
Best Answer
An easy way to block traffic with iptables
IPTables How TO is a pretty good how to
The basic idea for how to block would be
sudo iptables -A INPUT -s 192.168.x.x -p tcp --dport 8080 -j ACCEPTto all your networksudo iptables -A INPUT -p tcp --dport 8080 -j REJECTto reject all other networks