Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for JEP380 Unix Domain Sockets as provided by Jetty #345

Closed
minfrin opened this issue Sep 5, 2023 · 6 comments · Fixed by #346
Closed

Support for JEP380 Unix Domain Sockets as provided by Jetty #345

minfrin opened this issue Sep 5, 2023 · 6 comments · Fixed by #346

Comments

@minfrin
Copy link
Contributor

minfrin commented Sep 5, 2023

What feature do you want to see added?

Jetty supports JEP380 Unix Domain Sockets.

Add the required command line options and constructors to use Unix Domain Sockets as per Jetty docs.

Upstream changes

https://webtide.com/unixdomain-support-in-jetty/
https://eclipse.dev/jetty/documentation/jetty-11/programming-guide/index.html#pg-server-http-connector

@MarkEWaite
Copy link
Contributor

Can you further explain how Unix domain socket support in Winstone would help Jenkins users? The benefit is not clear to me.

@minfrin
Copy link
Contributor Author

minfrin commented Sep 5, 2023

Can you further explain how Unix domain socket support in Winstone would help Jenkins users? The benefit is not clear to me.

Unix domain sockets allow you to connect to a server where the server address is a socket file on a filesystem, not an internet accessible address.

Socket files on a filesystem can have filesystem permissions as well as SELinux permissions applied to them, thus providing a mechanism to force incoming requests to pass through a web application firewall running in front of jenkins.

This matters in environments that have to meet compliance requirements.

@MarkEWaite
Copy link
Contributor

Socket files on a filesystem can have filesystem permissions as well as SELinux permissions applied to them, thus providing a mechanism to force incoming requests to pass through a web application firewall running in front of Jenkins.

Doesn't a reverse proxy configuration already provide most of the benefits of that type of isolation? The Jenkins controller can be configured to listen only on the localhost interface and then allow the nginx or Apache reverse proxy to handle the traffic outside the machine.

@minfrin
Copy link
Contributor Author

minfrin commented Sep 5, 2023

Doesn't a reverse proxy configuration already provide most of the benefits of that type of isolation? The Jenkins controller can be configured to listen only on the localhost interface and then allow the nginx or Apache reverse proxy to handle the traffic outside the machine.

You still have a socket accessible internally on the machine to any logged in user to a port you have to configure. With a unix domain socket you have a socket available internally to the reverse proxy user only at a path guaranteed not to clash with anyone else.

For the avoidance of doubt the plan is to contribute a PR for this. The code seems very straightforward to add, you just need to use the correct jetty constructor and parameters in the jetty you're already using.

@daniel-beck
Copy link
Member

(Obligatory disclaimer: Not a maintainer of this repo, or packaging)

Please consider submitting a PR for https://www.jenkins.io/doc/book/installing/initial-settings/ (and possibly related pages on jenkins.io) to document this beyond the Winstone CLI help.

@MarkEWaite
Copy link
Contributor

MarkEWaite commented Nov 7, 2023

Please consider submitting a PR for https://www.jenkins.io/doc/book/installing/initial-settings/ (and possibly related pages on jenkins.io) to document this beyond the Winstone CLI help.

I think that it would also be much appreciated if the reverse proxy configuration instructions were extended to include Unix domain sockets support. I assume that the most popular reverse proxies are the first choice, like:

I assume it would not apply to the following reverse proxies:

I'm not sure on the other reverse proxies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants