Setup SSL for Jenkins with Caddy on Ubuntu 22.04

In our previous post, we've installed Jenkins on Ubuntu 22.04 but its running on http and in this post we will use Caddy to install and configure a reverse proxy and SSL Termination with LetsEncrypt.

Reconfigure Jenkins Listen Address

If you were following my previous post, jenkins is listening on all interfaces 0.0.0.0 and we would like to change it to 127.0.0.1 so that our Caddy proxy listens on 0.0.0.0:443 and reverse proxy the traffic to 127.0.0.1:8080 .

Edit the systemd unit file in /lib/systemd/system/jenkins.service and set the JENKINS_LISTEN_ADDRESS environment variable under the [Service] directive to 127.0.0.1:

[Service]
...
Environment="JENKINS_LISTEN_ADDRESS=127.0.0.1"

Then reload systemd:

$ sudo systemctl daemon-reload

Then restart jenkins:

$ sudo systemctl restart jenkins

Then we can validate if Jenkins is listening on localhost:

$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 127.0.0.1:8080          :::*                    LISTEN      4297/java

Install Caddy Reverse Proxy

Install Caddy from consulting their documentation:

$ sudo apt install debian-keyring debian-archive-keyring apt-transport-https -y
$ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | $ sudo tee /etc/apt/trusted.gpg.d/caddy-stable.asc
$ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list

Then update the indexes and install Caddy:

$ sudo apt update
$ sudo apt install caddy -y

As root, change to the caddy directory:

$ sudo su - 
$ cd /etc/caddy

Create the file /etc/caddy/Caddyfile with the following content (assumption that your fully qualified domain name is jenkins.yourdomain.com:

jenkins.yourdomain.com {
	reverse_proxy http://127.0.0.1:8080
}

Allow port 80 and 443 on the iptables firewall:

$ iptables -I INPUT -p tcp --dport 80 -j ACCEPT
$ iptables -I INPUT -p tcp --dport 443 -j ACCEPT

Then restart caddy:

$ systemctl restart caddy

Then after some time visit your jenkins url and if you inspect the certificate, you should see that the certificate is valid:

The last step is to configure the Jenkins URL to the new https url, and that you can do by heading to "Manage Jenkins" -> "Configure System" and under "Jenkins Location" you should see a "Jenkins URL" input field, where you can provide the https url.

Thank You

Thanks for reading, if you like my content, check out my website, read my newsletter or follow me at @ruanbekker on Twitter.