26

I have Jenkins sitting behind Nginx, with Nginx taking care of authentication, but Jenkins is still listening on port 8080 externally, so by accessing the box on port 8080 people can bypass Nginx.

How can I tell it to stop listening for remote connections and just accept connections locally?

It looks like it might be something to do with this ajp13ListenAddress param, but I can't figure out how to set that in the init.d script installed with Jenkins.

Thanks loads for any help!

Ludo.

(Looks like there's no Jenkins tag yet and I can't create it as I don't have rep)

gm3dmo
  • 10,057
  • 1
  • 42
  • 36
Ludo
  • 1,099
  • 3
  • 10
  • 11

2 Answers2

29

Debian

If you installed Jenkins from the Debian package, you can modify /etc/default/jenkins and add the following line somewhere:

HTTP_HOST=127.0.0.1

and then add --httpListenAddress=$HTTP_HOST to the JENKINS_ARGS so that it reads something like:

JENKINS_ARGS="--webroot=/var/run/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --httpListenAddress=$HTTP_HOST"

Ubuntu

If you installed Jenkins from the Ubuntu Oneiric (11.10) package, edit /etc/init/jenkins.conf and add --httpListenAddress=127.0.0.1 to the JENKINS_ARGS line, so that it reads like:

JENKINS_ARGS="--webroot=$JENKINS_RUN/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --httpListenAddress=127.0.0.1"

RedHat/CentOS/Amazon Linux

If you installed Jenkins using YUM repository, modify /etc/sysconfig/jenkins and edit JENKINS_LISTEN_ADDRESS to JENKINS_LISTEN_ADDRESS=127.0.0.1

Bill Weiss
  • 10,979
  • 3
  • 38
  • 66
Wouter de Bie
  • 719
  • 5
  • 7
  • If like me you are in the third case but you are also using HTTPS, it's JENKINS_HTTPS_LISTEN_ADDRESS that you want to set to 127.0.0.1 – Leogout Mar 02 '22 at 13:25
  • For RHEL/CentOS/Amazon Linux, refer to this [answer](https://stackoverflow.com/a/71507081/2035207). You should edit instead `/lib/systemd/system/jenkins.service` – h q Jun 26 '23 at 08:07
1

Debian 11 from Jenkins Package APT Repository

Edit configurations.

sudo systemctl edit jenkins

Add the following between two comment sections.

[Service]
Environment="JENKINS_LISTEN_ADDRESS=127.0.0.1"

Then restart Jenkins.

sudo systemctl daemon-reload
sudo systemctl restart jenkins

Check the actual command line used to start Jenkins.

sudo systemctl status jenkins

Option --httpListenAddress=127.0.0.1 is appended to the command line.

See also:

bzt
  • 11
  • 2