-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for JEP380 Unix Domain Sockets as provided by Jetty #345
Comments
Can you further explain how Unix domain socket support in Winstone would help Jenkins users? The benefit is not clear to me. |
Unix domain sockets allow you to connect to a server where the server address is a socket file on a filesystem, not an internet accessible address. Socket files on a filesystem can have filesystem permissions as well as SELinux permissions applied to them, thus providing a mechanism to force incoming requests to pass through a web application firewall running in front of jenkins. This matters in environments that have to meet compliance requirements. |
Doesn't a reverse proxy configuration already provide most of the benefits of that type of isolation? The Jenkins controller can be configured to listen only on the localhost interface and then allow the nginx or Apache reverse proxy to handle the traffic outside the machine. |
You still have a socket accessible internally on the machine to any logged in user to a port you have to configure. With a unix domain socket you have a socket available internally to the reverse proxy user only at a path guaranteed not to clash with anyone else. For the avoidance of doubt the plan is to contribute a PR for this. The code seems very straightforward to add, you just need to use the correct jetty constructor and parameters in the jetty you're already using. |
(Obligatory disclaimer: Not a maintainer of this repo, or packaging) Please consider submitting a PR for https://www.jenkins.io/doc/book/installing/initial-settings/ (and possibly related pages on jenkins.io) to document this beyond the Winstone CLI help. |
I think that it would also be much appreciated if the reverse proxy configuration instructions were extended to include Unix domain sockets support. I assume that the most popular reverse proxies are the first choice, like: I assume it would not apply to the following reverse proxies:
I'm not sure on the other reverse proxies |
What feature do you want to see added?
Jetty supports JEP380 Unix Domain Sockets.
Add the required command line options and constructors to use Unix Domain Sockets as per Jetty docs.
Upstream changes
https://webtide.com/unixdomain-support-in-jetty/
https://eclipse.dev/jetty/documentation/jetty-11/programming-guide/index.html#pg-server-http-connector
The text was updated successfully, but these errors were encountered: