Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Hudson-ci/Running Hudson behind Apache"
m |
m |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
== Introduction == | == Introduction == | ||
In situations where you have existing web sites on your server, you may find it useful to run Hudson (or the servlet container that Hudson runs in) behind Apache, so that you can bind Hudson to the part of a bigger website that you may have. This document discusses some of the approaches for doing this. | In situations where you have existing web sites on your server, you may find it useful to run Hudson (or the servlet container that Hudson runs in) behind Apache, so that you can bind Hudson to the part of a bigger website that you may have. This document discusses some of the approaches for doing this. | ||
| + | |||
| + | __TOC__ | ||
{{warning| Make sure that you change the Hudson ''httpListenAddress'' from its default of 0.0.0.0 to 127.0.0.1 or any Apache-level restrictions can be easily bypassed by hitting the Hudson port directly.}} | {{warning| Make sure that you change the Hudson ''httpListenAddress'' from its default of 0.0.0.0 to 127.0.0.1 or any Apache-level restrictions can be easily bypassed by hitting the Hudson port directly.}} | ||
| Line 51: | Line 53: | ||
If you'd like to run Hudson with reverse proxy in HTTPS, one user reported that HTTPS needs to be terminated at Hudson, not at the front-end Apache. See [http://hudson.361315.n4.nabble.com/Hudson-behind-an-Apache-Reverse-Proxy-w-SSL-td370997.html this e-mail thread] for more discussion. | If you'd like to run Hudson with reverse proxy in HTTPS, one user reported that HTTPS needs to be terminated at Hudson, not at the front-end Apache. See [http://hudson.361315.n4.nabble.com/Hudson-behind-an-Apache-Reverse-Proxy-w-SSL-td370997.html this e-mail thread] for more discussion. | ||
| − | Alternatively, you can add an additional {{code|ProxyPassReverse}} directive to redirect non-SSL URLs generated by Hudson to the SSL side. Assuming that your webserver is | + | Alternatively, you can add an additional {{code|ProxyPassReverse}} directive to redirect non-SSL URLs generated by Hudson to the SSL side. Assuming that your webserver is '''your.host.com''', placing the following within the SSL virtual host definition will do the trick: |
{{codeblock|<pre>ProxyRequests Off | {{codeblock|<pre>ProxyRequests Off | ||
| Line 83: | Line 85: | ||
nohup java -jar "$WAR" --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --prefix=/hudson >> "$LOG" 2>&1 &</pre>}} | nohup java -jar "$WAR" --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --prefix=/hudson >> "$LOG" 2>&1 &</pre>}} | ||
Then setup Apache so that it knows that the prefix /hudson is being served by AJP in the httpd.conf file: | Then setup Apache so that it knows that the prefix /hudson is being served by AJP in the httpd.conf file: | ||
| − | {{codeblock|<pre> | + | {{codeblock|<pre>LoadModule jk_module libexec/httpd/mod_jk.so |
AddModule mod_jk.c | AddModule mod_jk.c | ||
Latest revision as of 12:14, 18 August 2011
| Hudson Continuous Integration Server | |
| Website | |
| Download | |
| Community | |
| Mailing List • Forums • IRC • mattermost | |
| Issues | |
| Open • Help Wanted • Bug Day | |
| Contribute | |
| Browse Source |
|
Running Hudson behind Apache |
|---|
Introduction
In situations where you have existing web sites on your server, you may find it useful to run Hudson (or the servlet container that Hudson runs in) behind Apache, so that you can bind Hudson to the part of a bigger website that you may have. This document discusses some of the approaches for doing this.
mod_proxy
mod_proxy works by making Apache perform "reverse proxy". — When a request arrives for certain URLs, Apache becomes a proxy and further forward that request to Hudson, then it forwards the response back to the client.
The following Apache modules must be installed :
- a2enmod proxy
- a2enmod proxy_http
A typical set up for mod_proxy would look like this:
ProxyPass /hudson http://localhost:8081/hudson ProxyPassReverse /hudson http://localhost:8081/hudson ProxyRequests Off |
- Local reverse proxy authorization override
- Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
<Proxy http://localhost:8081/hudson*> Order deny,allow Allow from all </Proxy> |
This assumes that you run Hudson on port 8081. {(note|For this set up to work, the context path of Hudson must be the same between your Apache and Hudson (that is, you can't run Hudson on http://localhost:8081/ci and have it exposed at http://localhost:80/hudson).
Set the context path in Windows by modifying the hudson.xml configuration file and adding {code|--prefix=/hudson} (or similar) to the <arguments> entry.}}
The _ProxyRequests Off_ prevents Apache from functioning as a forward proxy server (except for _ProxyPass_), it is advised to include it unless the server should function as a proxy.
If you are running Apache on a Security-Enhanced Linux (SE-Linux) machine it is essential to make SE-Linux do the right thing by issuing as root
setsebool -P httpd_can_network_connect true |
If this is not issued Apache will not be allowed to forward proxy requests to Hudson and only an error message will be displayed.
Because hudson already compress its output, you can not use the normal proxy-html filter to modify urls:
SetOutputFilter proxy-html |
Instead you can use the following:
SetOutputFilter INFLATE;proxy-html;DEFLATE ProxyHTMLURLMap http://your_server:8080/hudson /hudson |
See http://wiki.uniformserver.com/index.php/Reverse_Proxy_Server_2:_mod_proxy_html_2 But since hudson seems to be well behaved it even better to just not use SetOutputFilter and ProxyHTMLURLMap.
If there are problems with hudson sometimes servicing random garbage pages, then the following may help:
SetEnv proxy-nokeepalive 1 |
mod_proxy with HTTPS
If you'd like to run Hudson with reverse proxy in HTTPS, one user reported that HTTPS needs to be terminated at Hudson, not at the front-end Apache. See this e-mail thread for more discussion.
Alternatively, you can add an additional ProxyPassReverse directive to redirect non-SSL URLs generated by Hudson to the SSL side. Assuming that your webserver is your.host.com, placing the following within the SSL virtual host definition will do the trick:
ProxyRequests Off ProxyPreserveHost On <Proxy http://localhost:8081/hudson*> Order deny,allow Allow from all </Proxy> ProxyPass /hudson http://localhost:8081/hudson ProxyPassReverse /hudson http://localhost:8081/hudson ProxyPassReverse /hudson http://your.host.com/hudson |
Yet another option is to rewrite the Location headers that contain non-ssl URL's generated by Hudson. If you want to access Hudson from https://www.example.com/hudson, placing the following within the SSL virtual host definition also works:
ProxyRequests Off ProxyPreserveHost On ProxyPass /hudson/ http://localhost:8081/hudson/ <Location /hudson/> ProxyPassReverse / Order deny,allow Allow from all </Location> Header edit Location ^http://www.example.com/hudson/ https://www.example.com/hudson/ |
mod_ajp/mod_proxy_ajp
I wanted to have Hudson running in a different workspace than my normal Tomcat server, but both available via the Apache web server. So, first up, modify Hudson to use a different web and ajp port than Tomcat:
HTTP_PORT=9080 AJP_PORT=9009 ... nohup java -jar "$WAR" --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --prefix=/hudson >> "$LOG" 2>&1 & |
Then setup Apache so that it knows that the prefix /hudson is being served by AJP in the httpd.conf file:
LoadModule jk_module libexec/httpd/mod_jk.so AddModule mod_jk.c #== AJP hooks == JkWorkersFile /etc/httpd/workers.properties JkLogFile /private/var/log/httpd/mod_jk.log JkLogLevel info JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories JkRequestLogFormat "%w %V %T" # Here are 3 sample applications - 2 that are being served by Tomcat, and Hudson JkMount /friki/* worker1 JkMount /pebble/* worker1 JkMount /hudson/* worker2 |
Then finally the workers.conf file specified above, that just tells AJP which port to use for which web application:
# Define 2 real workers using ajp13 worker.list=worker1,worker2 # Set properties for worker1 (ajp13) worker.worker1.type=ajp13 worker.worker1.host=localhost worker.worker1.port=8009 worker.worker1.lbfactor=50 worker.worker1.cachesize=10 worker.worker1.cache_timeout=600 worker.worker1.socket_keepalive=1 # Set properties for worker2 (ajp13) worker.worker2.type=ajp13 worker.worker2.host=localhost worker.worker2.port=9009 worker.worker2.lbfactor=50 worker.worker2.cachesize=10 worker.worker2.cache_timeout=600 worker.worker2.socket_keepalive=1 worker.worker2.recycle_timeout=300 |
mod_rewrite
Some people attempted to use mod_rewrite to do this, but this will never work if you do not add a _ProxyPassReverse_. See this thread if you'd like to know why.
The following Apache modules must be installed :
a2enmod rewrite
a2enmod proxy
a2enmod proxy_http
{noformat}A typical set up for mod_rewrite would look like this:
{noformat}# Use last flag because no more rewrite can be applied after proxy pass
RewriteRule ^/hudson(.*)$ http://localhost:8081/hudson$1 [P,L]
ProxyPassReverse /hudson http://localhost:8081/hudson
ProxyRequests Off
# Local reverse proxy authorization override
# Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
<Proxy http://localhost:8081/hudson*>
Order deny,allow
Allow from all
</Proxy>
|
This assumes that you run Hudson on port 8081. For this set up to work, the context path of Hudson must be the same between your Apache and Hudson (that is, you can't run Hudson on http://localhost:8081/ci and have it exposed at http://localhost:80/hudson])
The ProxyRequests Off prevents Apache from functioning as a forward proxy server (except for ProxyPass), it is advised to include it unless the server should function as a proxy.