I love CruiseControl.rb, but one of the things Ive found is that it exposes via the web interface a lot of what is potentially confidential data. From the cruise_config.rb
containing accounts on our SVN server, to being able to browse source files, which would include database.yml
, again, exposing usernames and passwords.
And, since CC.rb runs on port 3333 by default, I expect some enterprising hacker has been scraping the internet looking for all the IP addresses that have a server running on port 3333! A lot of folks have been using Apache and mod_proxy and mod_auth to try and wrap CruiseControl.rb, but you still need to add firewall rules so people dont just go directly to the server on port 3333. There has been quite a bit of traffic on the CC.rb mailing list lately about this. However, I found that HTPasswd was a much simpler solution. HTPasswd is one of those little know gems of a plugin. It makes it dirt simple to add both Basic and Digest authentication to Rails apps. I just SSHed into the server running CC.rb, browsed to the CC webapp directory and ran ./script/plugin install http://wota.jp/svn/rails/plugins/branches/stable/htpasswd/
. I added the line htpasswd :user=>"MYUSER", :pass=>"MYPASS"
to application.rb, restarted CC.rb, and now have a secure CruiseControl.rb instance! Much simpler then hacking around with Apache configuration files. Please go to the HTPasswd page on AgileWebDevelopment and vote for this great plugin!