mitigate jenkins remote execute 0-day

https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli

It seems that two channels need to be secured. The first is a custom tcp
port which is firewalled anyway. The other part is urls starting with
/cli. Instead of filtering this entry point in jenkins (and thus
breaking bin/abort.sh), we apply the filtering in apache. Thus a local
execute vulnerability remains, but we didn't care about those earlier.

1 files changed, 2 insertions, 0 deletions

diff --git a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net
index 02dfb529..b5d39a82 100644
--- a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net
+++ b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net
@@ -17,6 +17,7 @@ NameVirtualHost *:443
 		# map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs
 		ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/
 		ProxyPass /userContent !
+		ProxyPass /cli !
 		ProxyPass / http://localhost:8080/ nocanon
 		ProxyPassReverse  / http://localhost:8080/
 	</VirtualHost>
@@ -149,6 +150,7 @@ Use common-debian-service-https-redirect reproducible-builds.org
 	# map /d-i-preseed-cfgs to /UserContent/d-i-preseed-cfgs
 	ProxyPass /d-i-preseed-cfgs/ http://localhost:8080/userContent/d-i-preseed-cfgs/
 	ProxyPass /userContent !
+	ProxyPass /cli !
 	ProxyPass / http://localhost:8080/ nocanon
 	ProxyPassReverse  / http://localhost:8080/
 </VirtualHost>