Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-18008

Builds triggered using token with build-token-root plugin show remote host as '127.0.0.1'

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • Jenkins 1.514, Oracle Linux, accessed via reverse Apache proxy (for SSL)

      Builds triggered using per-project token via the API provided by this plugin show their remote host as '127.0.0.1' rather than the real IP the build was started from. In my case, I ran curl(1) to trigger the build from another machine, and it still shows up as 127.0.0.1 (localhost), see attached screenshot.

      I am accessing this Jenkins instance via an Apache reverse proxy so that I can use SSL. But I believe my Apache virtual host is configured properly to set proxy headers like X-Forwarded-For, etc. (per http://httpd.apache.org/docs/trunk/mod/mod_proxy.html). My Apache config includes the following:

      ProxyRequests On
      ProxyPreserveHost On
      ProxyPass / http://localhost:8080/ retry=0
      ProxyPassReverse / http://localhost:8080/

      Is Jenkins not respecting the X-Forwarded-* HTTP headers when determining the remote IP? That may be the root cause here.

          [JENKINS-18008] Builds triggered using token with build-token-root plugin show remote host as '127.0.0.1'

          Stuart Montgomery created issue -
          Stuart Montgomery made changes -
          Summary Original: Builds triggered using token with this plugin show remote host as '127.0.0.1' New: Builds triggered using token with build-token-root plugin show remote host as '127.0.0.1'

          Mirko Friedenhagen added a comment - - edited

          I do not think this is a plugin problem, but should probably be fixed in core: https://github.com/jenkinsci/jenkins/pull/239. I think Koshuke was not sure whether this would be a security issue. One could argue, that this is quite safe, when remote address is 127.0.0.1. However I do not see real security issues here, as this is only for the Build Cause.

          Mirko Friedenhagen added a comment - - edited I do not think this is a plugin problem, but should probably be fixed in core: https://github.com/jenkinsci/jenkins/pull/239 . I think Koshuke was not sure whether this would be a security issue. One could argue, that this is quite safe, when remote address is 127.0.0.1. However I do not see real security issues here, as this is only for the Build Cause.
          Mirko Friedenhagen made changes -
          Component/s New: core [ 15593 ]

          Agreed, can we integrate Mirko's pull request? That will likely solve the issue, and I can't imagine how it will be a security issue.

          Stuart Montgomery added a comment - Agreed, can we integrate Mirko's pull request? That will likely solve the issue, and I can't imagine how it will be a security issue.
          Stuart Montgomery made changes -
          Component/s Original: build-token-root [ 17622 ]
          Assignee Original: Jesse Glick [ jglick ]

          Daniel Beck added a comment -

          Was fixed by https://github.com/jenkinsci/winstone/commit/fa55131f28195406ac6b280333564c21dc7684a9 in Jenkins 1.528 with the inclusion of 0.9.10-jenkins-47, so this will be fixed in 1.532 based LTS.

          Broke again in 1.535 thanks to Jetty.

          Daniel Beck added a comment - Was fixed by https://github.com/jenkinsci/winstone/commit/fa55131f28195406ac6b280333564c21dc7684a9 in Jenkins 1.528 with the inclusion of 0.9.10-jenkins-47, so this will be fixed in 1.532 based LTS. Broke again in 1.535 thanks to Jetty.

          Daniel Beck added a comment -

          Daniel Beck added a comment - Supposed to be fixed by https://github.com/jenkinsci/winstone/pull/13
          Daniel Beck made changes -
          Labels New: lts-candidate

          Daniel Beck added a comment -

          Issue fixed in 1.560 with update to "winstone" 2.3 that includes Nicolas' fix.

          Labeling as lts-candidate so this is considered for backporting to 1.554.x.

          Daniel Beck added a comment - Issue fixed in 1.560 with update to "winstone" 2.3 that includes Nicolas' fix. Labeling as lts-candidate so this is considered for backporting to 1.554.x.

            Unassigned Unassigned
            stmontgomery Stuart Montgomery
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: