-
Notifications
You must be signed in to change notification settings - Fork 30
Expand file tree
/
Copy pathsetup.sh
More file actions
124 lines (105 loc) · 4.04 KB
/
setup.sh
File metadata and controls
124 lines (105 loc) · 4.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/bin/bash
#################################################################
## Set the values in this section
#################################################################
HOSTNAME='ec2-3-26-43-48.ap-southeast-2.compute.amazonaws.com'
COUNTRY='AU'
STATE='Australian Capital Territory'
CITY='Canberra'
ORG='MyCompany'
ORG_UNIT='IT'
EMAIL='somebody@gmail.com'
#################################################################
set -e
set -x
sudo apt update
sudo apt upgrade -y
curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key | sudo tee /usr/share/keyrings/jenkins-keyring.asc > /dev/null
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt update
## install java before jenkins because does not declare dependency on java
## and will fail dpkg step if not already installed
sudo apt install default-jdk -y
sudo apt install jenkins apache2 -y
echo starting jenkins
sudo systemctl start jenkins.service
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod ssl
# configure apache for ssl proxying
sudo tee /etc/apache2/sites-enabled/ssl.conf <<EOF
LoadModule ssl_module modules/mod_ssl.so
LoadModule proxy_module modules/mod_proxy.so
# Listen 443
<VirtualHost *:443>
<Proxy "*">
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/my-cert.pem
SSLCertificateKeyFile /etc/ssl/private/my-key.pem
# this option is mandatory to force apache to forward the client cert data to tomcat
SSLOptions +ExportCertData
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:8080/ retry=0 nocanon
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
AllowEncodedSlashes NoDecode
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
ErrorLog /var/log/apache2/ssl-error_log
TransferLog /var/log/apache2/ssl-access_log
</VirtualHost>
EOF
## print out jenkins password for initial admin login
sudo cat /var/lib/jenkins/secrets/initialAdminPassword
## The script above uses the default ssl certificates for apache2
## (and these will work but in the browser you will be warned about
## the certificates being insecure). Now we make a self-signed certificate
## that at least matches the desired host name:
cd ~
# we are now in /home/ubuntu
#generate a password
CA_PASSWORD=`< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-32}`
# create server certificates (public and p`)
tee server-config <<EOF
# OpenSSL configuration file.
[ req ]
prompt = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C=TheCountry
ST=TheState
L=TheCity
CN=TheHostname
O=TheOrganization
OU=TheOrgUnit
emailAddress=TheEmail
EOF
sed -i -e "s/TheCountry/$COUNTRY/g" server-config
sed -i -e "s/TheState/$STATE/g" server-config
sed -i -e "s/TheCity/$CITY/g" server-config
sed -i -e "s/TheHostname/$HOSTNAME/g" server-config
sed -i -e "s/TheOrganization/$ORG/g" server-config
sed -i -e "s/TheOrgUnit/$ORG_UNIT/g" server-config
sed -i -e "s/TheEmail/$EMAIL/g" server-config
openssl genrsa -out key.pem 2048 # creates key.pem
openssl req -sha256 -new -key key.pem -out csr.pem -config server-config
openssl x509 -req -days 9999 -in csr.pem -signkey key.pem -out cert.pem -passin "pass:$CA_PASSWORD"
rm csr.pem
rm server-config
sudo cp cert.pem /etc/ssl/certs/my-cert.pem
sudo cp key.pem /etc/ssl/private/my-key.pem
sudo systemctl restart apache2
set +x
echo '**********************************************************'
echo '** CA password (you probably don'"'"'t need it):'
echo $CA_PASSWORD
echo '**********************************************************'
echo '** Initial administration password to enter into browser:'
sudo cat /var/lib/jenkins/secrets/initialAdminPassword