Bidhan Sthapit

Logging my devops journey

2 minute read

Jenkins & Nginx Infrastructure Summary

This document summarizes the technical workflow for setting up a secure, proxied Jenkins environment on an Amazon Linux 2023 EC2 instance, focusing on storage architecture and network security.

1. Storage Architecture: Two-Volume Strategy

To ensure system stability and data persistence, the instance is configured with two separate Elastic Block Store (EBS) volumes.

[Image of EC2 instance with separate root and data EBS volumes]

Volume A: Root Volume (/)

  • Purpose: OS files, binaries, and system configurations.
  • Benefit: If the OS becomes corrupted, the system can be wiped and reinstalled without losing user/application data.

Volume B: Data Volume (Mounted at /var/lib/jenkins)

  • Purpose: All Jenkins jobs, build history, user configurations, and plugin data.
  • Benefit: * Independent Scaling: You can increase the size of the data volume without touching the OS volume.
    • Portability: This volume can be detached and reattached to a new EC2 instance in minutes, allowing for easy upgrades or disaster recovery.

2. Infrastructure Architecture (Network)

The setup uses a Reverse Proxy model to enhance security.

Before (Direct Access)

  • Port: 8080
  • Flow: User → Internet Gateway → Security Group (Port 8080) → Jenkins.
  • Risks: Direct exposure of the application server to the public internet.

After (Reverse Proxy)

  • Port: 80 (HTTP)
  • Flow: User → Security Group (Port 80) → Nginx → Localhost (Port 8080) → Jenkins.
  • Benefits: Port 8080 is closed to the public; Nginx manages the external “handshake.”

3. Operations & Troubleshooting

Executing as Service Users

For users like jenkins with no bash login:

  • One-liners: sudo -u jenkins touch <file>
  • Interactive: sudo -u jenkins -s (pseudo-shell).
  • Permissions: Use tee to handle redirection: echo "data" | sudo -u jenkins tee <file>.

Common Commands

| Action | Command | | :— | :— | | Check Mounts | lsblk or df -h | | Nginx Health | sudo systemctl status nginx | | Socket Info | sudo ss -tunlp | grep -E ':(80|8080)' |

4. Key Takeaways & Learnings

Storage Best Practices

  • Separate Concerns: Always keep application data on a secondary volume. It prevents a “disk full” error in the app from crashing the entire OS.
  • Mounting Logic: Ensure the /etc/fstab is configured so the data volume mounts automatically on reboot.

Security & Hardening

  • Local Binding: Binding Jenkins to 127.0.0.1:8080 ensures it only communicates with Nginx, effectively “hiding” it from the outside world.
  • Syntax Checks: Use nginx -t religiously. A single missing semicolon or an extra colon (e.g., keepalive:) will crash the web server.

5. Next Steps

  • Snapshotting: Set up automated AWS Lifecycle Manager policies to backup the Data Volume.
  • SSL/TLS: Secure the Nginx entry point with a certificate.

You May Also Enjoy

Day 01: Fresh Start

less than 1 minute read

Summary: Created a ec2 instance t3.medium with 20GB EBS volume Created a key pair to connect to the instance Using key pair, connected to the server u...