32

I have no idea why after Jenkins is updated to version 1.591 (Ubuntu Server 12.04), the originally correctly set up reverse proxy now becomes broken. My current setting is exactly the same as said in Jenkins wiki:

ProxyPass /jenkins http://localhost:8081/jenkins nocanon
ProxyPassReverse /jenkins http://localhost:8081/jenkins
ProxyPreserveHost On
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://localhost:8081/jenkins*>
Order deny,allow
Allow from all
</Proxy>

also --prefix=/jenkins has been added into /etc/default/jenkins file

Is that a bug in Jenkins?

Parker
  • 7,244
  • 12
  • 70
  • 92
Kevin
  • 413
  • 1
  • 4
  • 7

9 Answers9

73

I was faced with this issue with Jenkins as a Windows Service Package.

According to their wiki:

Make sure the Jenkins URL configured in the System Configuration matches the URL you're using to access Jenkins.

To reach the System Configuration:

  1. Go to your Jenkins page
  2. Click Manage Jenkins
  3. Click Configure System
  4. Scroll to Jenkins Location and find Jenkins URL.

Ensure that port value matches with the port value set in the <arguments> section of the jenkins.xml file located in the Jenkins folder on your machine.

Josh Gieringer
  • 750
  • 6
  • 10
  • 2
    Thanks Josh, I was hitting mine via localhost rather than via normal name. They should really add an exception to localhost for this message... – basher Jul 14 '16 at 19:34
  • 3
    Exactly this: To expand upon the answer: the sever hostname was changed, and I did not change the "Jenkins Location" (a) when I *FIRST* setup the jenkins box, I used [http://jenkins-test1.example.com](http://jenkins-test1.example.com), so that is what I put in the Manage Jenkins -> Configure System -> Jenkins Location, (b) Later the machine became a production machine, the host name changed to: [http://jenkins-prod1.example.com](http://jenkins-prod1.example.com) - now Jenkins complains, Thus (C) Solution: Update the "Jenkins Location" – user3696153 Dec 09 '16 at 17:02
  • The arguments string in my 'jenkins.xml' file looks like this. **-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=8080 --webroot="%BASE%\war"** And this is the URL I have given under Jenkins URL field : **http://localhost:8080/jenkins/** I cannot understand how to make both strings imply the same Jenkins address. – Sandun Aug 08 '18 at 15:18
  • 4
    There is **no jenkins.xml** on my machine. I have Ubuntu. – ibodi Aug 09 '18 at 16:54
  • Thanks for the help. You surely eased the work of reading the whole wiki. In my case, I had changed the default port to 8100. – khwilo Sep 13 '18 at 12:33
  • For Linux users, you may also edit the configurations from the /etc/default/jenkins file too. – khwilo Sep 13 '18 at 12:36
  • @JoshGieringer I am new to this Jenkins thingy, I see all these arguments/values thrown around, but not one mention of where to add it. What good would that do for a newbie looking for help?? There is no jenkins.xml when I did my installation. I am on v2.190.1. I looked in deployed war directory and also in the .jenkins folder (Windows) – hell_storm2004 Oct 16 '19 at 07:43
  • Thank you for saving us reading the Wiki. This couldn't be explained any clearer. – Mert Alnuaimi Mar 04 '20 at 10:47
  • For Linux (Ubuntu) users, check the /etc/default/jenkins file as defined by @khwilo. In that file, look for **JENKINS_ARGS** and copy the **httpListenAddress** and paste it in your Jenkins URL. I used Nginx with Lets Encrypt encryption and my /etc/default/jenkins is like this **JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --httpListenAddress=127.0.0.1"**. Provide the port also 127.0.0.1:[your port] – Muhammad Tariq Oct 30 '20 at 05:57
  • It helps! I encountered this issue when I wrongly access my jenkins via HTTP instead of HTTPS, which is set in Jenkins Location. – v.ng Aug 03 '22 at 14:22
10

For me, the fix was to add:

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

This made it stop complaining.

Robin Winslow
  • 10,908
  • 8
  • 62
  • 91
5

Jenkins has proactive monitoring to make sure forward and reverse proxy is configured correctly. In version 1.552, these tests were improved so that incorrect proxy setups that were previously not flagged as broken are now detected. Starting with version 1.572, even Jenkins instances that do not rely on reverse proxy will display this warning.

Fixing a broken reverse proxy configuration is highly dependent on your web server and web application container, which is why there are so many other answers posted to your question. The Jenkins Wiki article on this topic, "Jenkins says my reverse proxy setup is broken", describes several ways to fix this in the comments.

From the above article:

For a reverse proxy to work correctly, it needs to rewrite both the request and the response.

But correct reverse proxying also involves one of two options, either:

  1. rewriting the response; or
  2. setting the X-Forwarded-Host (and perhaps X-Forwarded-Port) header on the forwarded request.

In my case, it was actually a problem with the first option, where my response rewriting was not properly encoding slashes. If you are using Apache HTTPD with Tomcat, you need to add support for encoded slashes to both servers, not just Apache HTTPD.

These are the instructions for resolving this problem in my specific case: Jenkins 2.1.41 on an Amazon Linux EC2 instance, with Apache 2.4, Tomcat 8.5 and Tomcat Connector.

In /etc/httpd/conf.d/ssl.conf add the following line for your Jenkins Host or VirtualHost:

AllowEncodedSlashes NoDecode

Add the following line to /usr/share/tomcat8/conf/catalina.properties:

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

Restart both services:

service httpd restart
service tomcat8 restart

Refresh your Manage Jenkins page. The warning message will be gone.

An example of implementing the second option in Apache HTTPD:

RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

and for NGINX:

proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
Parker
  • 7,244
  • 12
  • 70
  • 92
  • 1
    Thanks for providing this comprehenisve analysis and solution. There are many "solution" around this issue, but they all lack the tomcat part - which turns out to be essential. – joergd Apr 28 '19 at 12:20
  • Instead of using the deprecated system property `org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true`, the same effect can be achieved in (at least) Tomcat 8 and later by adding the attribute `encodedSolidusHandling="passthrough"` to `` elements defined in `$CATALINA_BASE\conf\server.xml`. – jaguild Apr 22 '22 at 16:13
3

For nginx, this also helped me:

proxy_redirect      http://localhost:8080 https://your.ssl.domain.name

Don't include any trailing slashes to the above urls, and also not to the proxy_pass url.

Ghasan غسان
  • 5,577
  • 4
  • 33
  • 44
2

It turns out everything works fine even though the annoying message persistently appears. I think it is a minor bug of the version.

Kevin
  • 413
  • 1
  • 4
  • 7
  • 3
    This is not a bug. As noted in the Jenkins Wiki, "The reverse proxy tests were improved in release 1.552 so users with previously working proxy setups may start to receive proxy warnings." See [this answer](https://stackoverflow.com/a/52045603/2074605) for more details. – Parker Sep 12 '18 at 12:06
2

Here's a link clearly states somethings are changed after 1.552 so adding these new lines;

 nocanon and AllowEncodedSlashes

Solved my issue and warning gone.

Cem
  • 65
  • 1
  • 4
2

Go to "Manage Jenkins" -> "Configure System" -> "Jenkins Location" header -> "Jenkins URL" was "http://localhost:8081/jenkins-postly". I changed it to "http://localhost:8081/" and now I don`t see that error.

starball
  • 20,030
  • 7
  • 43
  • 238
Kalman Judin
  • 45
  • 1
  • 7
0

It's trying to verify the url specified in the setting with the actual one:

  1. go to manage jenkins
  2. configure system
  3. jenkins URL
  4. change the url to your public IP address
  5. save
Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
ray Tam
  • 11
0

Also have a look in case you set a Referrer-Policy header which removes the "referer" header. That one is used by the self test XHR script at /administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/.

cherouvim
  • 31,725
  • 15
  • 104
  • 153