Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18008

Builds triggered using token with build-token-root plugin show remote host as '127.0.0.1'

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • Jenkins 1.514, Oracle Linux, accessed via reverse Apache proxy (for SSL)

      Builds triggered using per-project token via the API provided by this plugin show their remote host as '127.0.0.1' rather than the real IP the build was started from. In my case, I ran curl(1) to trigger the build from another machine, and it still shows up as 127.0.0.1 (localhost), see attached screenshot.

      I am accessing this Jenkins instance via an Apache reverse proxy so that I can use SSL. But I believe my Apache virtual host is configured properly to set proxy headers like X-Forwarded-For, etc. (per http://httpd.apache.org/docs/trunk/mod/mod_proxy.html). My Apache config includes the following:

      ProxyRequests On
      ProxyPreserveHost On
      ProxyPass / http://localhost:8080/ retry=0
      ProxyPassReverse / http://localhost:8080/

      Is Jenkins not respecting the X-Forwarded-* HTTP headers when determining the remote IP? That may be the root cause here.

          [JENKINS-18008] Builds triggered using token with build-token-root plugin show remote host as '127.0.0.1'

          Mirko Friedenhagen added a comment - - edited

          I do not think this is a plugin problem, but should probably be fixed in core: https://github.com/jenkinsci/jenkins/pull/239. I think Koshuke was not sure whether this would be a security issue. One could argue, that this is quite safe, when remote address is 127.0.0.1. However I do not see real security issues here, as this is only for the Build Cause.

          Mirko Friedenhagen added a comment - - edited I do not think this is a plugin problem, but should probably be fixed in core: https://github.com/jenkinsci/jenkins/pull/239 . I think Koshuke was not sure whether this would be a security issue. One could argue, that this is quite safe, when remote address is 127.0.0.1. However I do not see real security issues here, as this is only for the Build Cause.

          Agreed, can we integrate Mirko's pull request? That will likely solve the issue, and I can't imagine how it will be a security issue.

          Stuart Montgomery added a comment - Agreed, can we integrate Mirko's pull request? That will likely solve the issue, and I can't imagine how it will be a security issue.

          Daniel Beck added a comment -

          Was fixed by https://github.com/jenkinsci/winstone/commit/fa55131f28195406ac6b280333564c21dc7684a9 in Jenkins 1.528 with the inclusion of 0.9.10-jenkins-47, so this will be fixed in 1.532 based LTS.

          Broke again in 1.535 thanks to Jetty.

          Daniel Beck added a comment - Was fixed by https://github.com/jenkinsci/winstone/commit/fa55131f28195406ac6b280333564c21dc7684a9 in Jenkins 1.528 with the inclusion of 0.9.10-jenkins-47, so this will be fixed in 1.532 based LTS. Broke again in 1.535 thanks to Jetty.

          Daniel Beck added a comment -

          Daniel Beck added a comment - Supposed to be fixed by https://github.com/jenkinsci/winstone/pull/13

          Daniel Beck added a comment -

          Issue fixed in 1.560 with update to "winstone" 2.3 that includes Nicolas' fix.

          Labeling as lts-candidate so this is considered for backporting to 1.554.x.

          Daniel Beck added a comment - Issue fixed in 1.560 with update to "winstone" 2.3 that includes Nicolas' fix. Labeling as lts-candidate so this is considered for backporting to 1.554.x.

          Code changed in jenkins
          User: Daniel Beck
          Path:
          changelog.html
          http://jenkins-ci.org/commit/jenkins/6acdd66f435bb0c87479cb32449f0bb52b325d57
          Log:
          Noting winstone PR 13/JENKINS-18008, fix wording

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Daniel Beck Path: changelog.html http://jenkins-ci.org/commit/jenkins/6acdd66f435bb0c87479cb32449f0bb52b325d57 Log: Noting winstone PR 13/ JENKINS-18008 , fix wording

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          war/pom.xml
          http://jenkins-ci.org/commit/jenkins/b7abcbd598f6d9060439c563bb715448e983e868
          Log:
          JENKINS-18008 Incorporated Nicolas' https://github.com/jenkinsci/winstone/pull/13

          (cherry picked from commit 56052c8452173140c63d5cc15bdd79b510523cc4)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: war/pom.xml http://jenkins-ci.org/commit/jenkins/b7abcbd598f6d9060439c563bb715448e983e868 Log: JENKINS-18008 Incorporated Nicolas' https://github.com/jenkinsci/winstone/pull/13 (cherry picked from commit 56052c8452173140c63d5cc15bdd79b510523cc4)

            Unassigned Unassigned
            stmontgomery Stuart Montgomery
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: