反向代理-Iptables

默认的Jenkins安装必威国际有限公司在端口8080和8444上运行。通常,HTTP/HTTPS服务器分别在端口80和443上运行。但是这些端口被认为是在UNIX/Linux系统上具有特权,并且使用它们的过程必须由root拥有。不建议将Jenk必威国际有限公司ins运行为root-应该作为自己的用户运行。一种解决方案是使用Apache之类的Web服务器前必威国际有限公司面的Jenkins,并让IT代理詹金斯请求,但这也需要维护Apache安装。在您想要在端口80或443(即http/https)上运行jenkins的情况下,但是必威国际有限公司您不想设置代理服务器,您可以使用iptables在Linux上转发流量。

Ubuntu Installations

跟着Ubuntu安装说明to install and configure the initial Jenkins installation on Ubuntu 18.04 or later. These instructions are known to not work on Ubuntu versions prior to 18.04.

先决条件

为了将流量从80/443转发至8080/8443,首先必须确保iPtables允许所有这些端口中的所有四个端口流量。使用以下命令列出当前的iptables配置:

iptables -L -n

You should see in the output entries for 80, 443, 8080, and 8443. Here is an example output for comparison.

AIN输入(策略接受)目标prot OPT OPT源目标prot ot ot Opt源目标接受TCP -0.0.0.0/0 0.0.0.0.0.0/0 TCP DPT:443接受TCP -0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 tcp dpt:80 Accept TCP -0.0.0.0/0 0.0.0.0.0.0/0 TCP DPT:8080接受TCP -0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b0.0. ,0.0.0.0.0.0.0.bes-0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b,/0与状态相关,已建立的接受ICMP -0.0.0.0/0 0.0.0.0.0/0接受全部-0.0.0.0.0/0 0.0.0.0.0.0.0/0接受TCP -0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0TCP DPT:22拒绝全部-0.0.0.0/0 0.0.0.0.0/0 recups-with-with-with iCMP-HOST-FRONED-FROBING链链(策略接受)目标prot Opt Opt Opt源目标拒绝全部-0.0.0.0.0.0.0.0.0.0.0/0拒绝ICMP-host-prohist-trounted链输出(策略接受)目标prot Opt Opt源目标目标prot OPT源

如果您看不到这些端口的条目,则需要运行命令(作为root或sudo)添加这些端口。例如,如果您看不到这些都需要添加所有这些,则需要发布以下命令:

sudo iptables -i输入1 -P TCP  -  dport 8443 -J接受sudo iptables -i输入1 -P tcp -dport 8080 -j接受sudo iptables -i输入1 -P TCP -dport 443 -J -d -dport 443 -J接受sudo iptobles-i输入1 -P TCP -DPORT 80 -J接受
NOTE

I used -I INPUT 1. In a lot of iptables documentation/examples, you will see -A INPUT. The difference is that -A appends to the list of rules, while -I INPUT 1 inserts before the first entry. Usually when adding new accept ports to iptables configuration, you want to put them at the beginning of the ruleset, not the end. Run iptables -L -n again and you should now see entries for these 4 ports.

转发

Once traffic on the required ports are allowed, you can run the command to forward port 80 traffic to 8080, and port 443 traffic to 8443. The commands look like this:

sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443

您可以使用以下命令验证转发规则。

(root@xyz ~) # iptables - l - t nat链PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080 REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8443 Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination
+

设置这些规则并用iptables -L -N确认并确认,一旦您的jenkins实例启动并在端口8080上运行,请尝试访问端口80上的jenkins实必威国际有限公司例,而不是8080。80-换句话说,它不应被重定向到8080。从8080转发到8080(或443到8443)的事实应与客户端隐藏。

Saving iptables Configuration

Using the iptables command to change port configuration and routing rules only changes the current, in-memory configuration. It does not persist between restarts of the iptables service. So, you need to make sure you save the configuration to make the changes permanent.

Saving the configuration is slightly different between Red Hat rpm based and Debian-based systems. On a Red Hat-based system (Fedora, CentOS, Red Hat Enterprise Linux, Oracle Linux, etc), issue the following command:

sudo iptables-save > /etc/sysconfig/iptables

在基于Debian的系统(Debian,Ubuntu,Mint等)上,发出以下命令:

sudo sh -c "iptables-save > /etc/iptables.rules"

The iptables-restore command will need to be executed manually, or your system configured to automatically run it on boot, against the /etc/iptables.rules file you have created, in order for your iptables configuration to be retained across reboots. On Ubuntu, the fastest way is to installiptables敏感配置iPtables之后。它将自动从当前配置创建所需的文件,并将其加载到引导中。

sudo apt-get install iptables-persistent

https://help.ubuntu.com/community/IptablesHowTo对于其他Ubuntu选项。描述了这一点的其他许多资源;请查阅系统的文档或在互联网上搜索您的Linux风味的信息。

If you are unsure at all about what kind of system you have, consult that system’s documentation on how to update iptables configuration.

使用防火墙

Some Linux distributions (CentOS 8, Red hat Enterprise Linux 8, CentOS 7, etc.) ship with firewalld which serves as a front-end for iptables. Configuration thru firewalld is done via the防火墙-CMD命令。您不必使用上述任何iptables命令,而是要做的就是这样的事情:

# allow incoming connections on port 80. # You can also use --add-service=http instead of adding a port number sudo firewall-cmd --add-port=80/tcp --permanent sudo firewall-cmd --permanent \ --add-forward-port=port=80:proto=tcp:toaddr=127.0.0.1:toport=8080 # allow incoming connections on port 443. # You can also use --add-service=https instead of adding a port number sudo firewall-cmd --add-port=443/tcp --permanen t sudo firewall-cmd --permanent \ --add-forward-port=port=443:proto=tcp:toaddr=127.0.0.1:toport=8443 sudo firewall-cmd --reload

With the above commands, jenkins can be configured to run on localhost:8080 and/or localhost:8443 (depending if you need or want to do SSL or not)

firewalld will then create the required iptables rules so that incoming connections on port 80 are forwarded to jenkins on 8080 (and 443 is forwarded to 8443).



此页面有用吗?

请通过此信息提交有关此页面的反馈快速表格

Alternatively, if you don't wish to complete the quick form, you can simply indicate if you found this page helpful?


看existing feedbackhere

Baidu