Github Jenkins Webhook安全问题
[英]Github Jenkins webhook security problems
问题描述
I've been using Github Jenkins webhook for a while with no problem. 
我已经使用Github Jenkins webhook一段时间了,没有问题。 I have my Jenkins running behind a Nginx proxy and the only security installed was the nginx htpasswd. 我的Jenkins在Nginx代理后面运行,并且安装的唯一安全性是nginx htpasswd。 So my Github webhook looked like this: 所以我的Github Webhook看起来像这样:
https://user:pass@jenkins.blablabla.biz/job/script/buildWithParameters https:// user:pass@jenkins.blablabla.biz/job/script/buildWithParameters
Being user and pass the credentials from htpasswd file. 作为用户并通过htpasswd文件传递凭据。
Right now I'm trying to add users to my Jenkins and I activated matrix based security to it with the option to register and login to Jenkins. 现在,我正在尝试将用户添加到我的Jenkins中,并为其激活了基于矩阵的安全性,并可以选择注册和登录Jenkins。 The server works perfect initially asking for nginx credentials and jenkins login second. 该服务器在最初要求Nginx凭据和第二个jenkins登录时运行完美。
I created a github user in Jenkins and I generated a token for him. 我在詹金斯创建了一个github用户,并为他生成了一个令牌。 Now I changed my Github webhook to use the new Jenkins github user credentials: 现在,我将Github Webhook更改为使用新的Jenkins github用户凭据:
https://github:token@jenkins.blablabla.biz/job/script/buildWithParameters https:// github:token@jenkins.blablabla.biz/job/script/buildWithParameters
As long as I know this should work. 只要我知道这应该工作。 But it does not. 但事实并非如此。 I think that the problem here is having the two security systems activated (nginx htpasswd and jenkins login). 我认为这里的问题是激活了两个安全系统(nginx htpasswd和jenkins登录)。 But I want both. 但是我都想要。
Do I have to use the two credentials in my webhook? 我必须在Webhook中使用这两个凭证吗? How can I do that? 我怎样才能做到这一点?
When I use nginx credential Github receives this response from jenkins when webhook is triggered: 当我使用nginx凭证时,当触发webhook时,Github会收到jenkins的以下响应:
Authentication required You are authenticated as: anonymous Groups that you are in: Permission you need to have (but didn't): hudson.model.Hudson.Read ... which is implied by: hudson.security.Permission.GenericRead ... which is implied by: hudson.model.Hudson.Administer
And when I use jenkins credential Github receives this response from jenkins when webhook is triggered: 当我使用jenkins凭证时,触发webhook时Github会收到jenkins的以下响应:
401 Authorization Required
401 Authorization Required
nginx/1.11.10
2 个解决方案
解决方案1
1 2017-07-13 00:41:40
You can disable basic auth in you nginx.conf for one url: 您可以在nginx.conf中为一个网址禁用基本身份验证:
location /github-webhook/ {
auth_basic "off";
...
}
location / {
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
...
}
解决方案2
0 已采纳 2017-04-19 07:09:51
Finally I decided to shut down the Nginx Http based security and rely only on the jenkins security. 最终,我决定关闭基于Nginx Http的安全性,仅依靠jenkins安全性。 Now my jenkins server is visible from anywhere. 现在,我的jenkins服务器在任何地方都可见。 I changed the format of the Github jenkins webhook in order to use the Jenkins token root plugin: https://wiki.jenkins-ci.org/display/JENKINS/Build+Token+Root+Plugin 为了使用Jenkins令牌根插件,我更改了Github jenkins webhook的格式: https ://wiki.jenkins-ci.org/display/JENKINS/Build+Token+Root+Plugin
I didn't find a way to use both authentication methods. 我没有找到使用两种身份验证方法的方法。 The idea was to ask for an extra pass (http based) If someone tried to access from outside the office. 如果有人试图从办公室外访问,则需要额外的通行证(基于HTTP)。
That's all. 就这样。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.