Unable to add credentials in Jenkins when accessed via reverse proxy ( Netscaler)

Question

Background

We used to access Jenkins via Hostname and port format and never had issues. eg : http://Jenkinsci.company.com:8080.

We had an internal requirement to enable Jenkins access via company Netscaler (https://apps.company.com/).

So new Netscaler context was created and new url :https://apps.company.com/jenkins now points to -> http://Jenkinsci.company.com:8080. I also added JENKINS_ARGS="--prefix=/jenkins" in etc/sysconfig/jenkins.

Issue

Initially we couldnt login. As soon as we clicked on login, we used to get redirected to http page. i.e https://apps.company.com/jenkins -> http://apps.company.com/jenkins.

. So since login was not working, http to https redirection was setup at Netscaler level. Then login worked.

Now we observed we couldn't add credentials in Jenkins.

Now after adding the credentials, the drop down doesn't show the newly added credentials.

I debugged in Browser and could see the below error message.

Mixed Content: The page at 'https://prod.company.com/jenkins/job/test1/job/test/configure' was loaded over HTTPS, but requested an insecure form action 'http://prod.company.com/jenkins/descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$ItemContextResolver/provider/com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider/context/test1/addCredentials'. This request has been blocked; the content must be served over HTTPS.

I also compared the network messages of adding credentials via Netscaler and directly via host and they look same except in success scenario there are couple of more steps executed.

Success

Request URL: http://Jenkinsci.company.com:8080/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test

Request URL: http://Jenkinsci.company.com:8080/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=asdad&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test

Request URL: http://Jenkinsci.company.com:8080/jenkins/descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$ItemContextResolver/provider/com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider/context/test/addCredentials Request Method: POST

Request URL: http://Jenkinsci.company.com:8080/jenkins/job/test/job/tess/descriptorByName/hudson.plugins.git.UserRemoteConfig/fillCredentialsIdItems

Failure

Request URL: https://prod.company.com/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test1

Request URL: https://prod.company.com/jenkins/descriptorByName/com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl/checkId?value=sdfsr&$provider=com.cloudbees.plugins.credentials.CredentialsSelectHelper%24ItemContextResolver&$token=test1

Any idea what may be the issue and way to resolve without putting a SSL certificate to jenkins instance?

Thanks in advance.

Answer 1

I spoke with Netscaler team and initially we added http to https redirection, but it didn't work.
Then I shared below link with them.

Jenkins Reverse Proxy setup

In our setup, Netscaler was accessed via https ,but Jenkins was accessed via HTTP. So we needed to set "X-Forwarded-Proto" header in Netscaler for the request rewrites.

Initially we set X-Forwarded-Proto" header in Netscaler for the response rewrites and it was not working. Be aware that there are very minimal logs and debugging will be difficult.

Hopefully this helps someone.