Security concern for Gitlab webhook token to Jenkins

14 views
Skip to first unread message

Jheison Rodriguez

unread,
Mar 18, 2020, 9:05:37 PM3/18/20
to Jenkins Users

currently I'm using a webhooks token for trigger Jobs from GitLab to Jenkins, I have a global user so a token set up for all project something like this: https://USERID:APITOKEN@JENKINS_URL/project/YOUR_JOB

Additionally, when I create a new version of the Jenkins master the token is updated and I need to update in each GitLab project.

I'd like to know if someone has experienced this and had managed this kind of set up in another way? Also to avoid expose the token in the webhooks' URL (security concern) or update it (even with scripts) for each GitLab project.

Gianluca

unread,
Mar 19, 2020, 3:38:10 AM3/19/20
to Jenkins Users
In our case, we are using GitHub but we had similar concerns.
Our solution was to create a little server with NGINX configured to forward the webhooks to our Jenkins masters.
In this way, we could achieve the following:
1) Jenkins masters are not exposed at all to internet
2) The configuration are kept inside the server with NGINX (in your the token)
3) Changing the Jenkins master only require a change into the NGINX server and everything remains the same on GitHub

Richard Bywater

unread,
Mar 19, 2020, 3:46:48 AM3/19/20
to jenkins...@googlegroups.com
I haven't tried it so I don't know if it works, but have you tried passing the Authorization header in the request rather than setting username & password as part of the URL? e.g. `Authorization:Basic username:apiToken`  where the whole `username:apiToken` is base-64 encoded

Richard.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7d84e91d-3682-4a56-b366-7b92dbbac51e%40googlegroups.com.

Dirk Heinrichs

unread,
Mar 19, 2020, 3:54:18 AM3/19/20
to jenkins...@googlegroups.com
Am Mittwoch, den 18.03.2020, 17:10 -0700 schrieb Jheison Rodriguez:

I'd like to know if someone has experienced this and had managed this kind of set up in another way?

We use Smee (https://smee.io/) for this.

HTH...

Dirk
-- 
Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.
Reply all
Reply to author
Forward
0 new messages