• Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core

      Under some conditions a reverse proxy may define X-Forwarded-Port yet the Jenkins servlet container still returns 80 for ServletRequest.getServerPort. This causes problems for computing Jenkins.getRootUrlFromRequest, the current implementation of which treats the default port as 80 regardless of the scheme; we would like the default to be 443 when X-Forwarded-Proto: https, yet this will only work if the servlet container coƶperates. Easier to have Jenkins itself interpret this header when set.

          [JENKINS-23294] Interpret X-Forwarded-Port

          Code changed in jenkins
          User: Stephen Connolly
          Path:
          core/src/main/java/jenkins/model/Jenkins.java
          http://jenkins-ci.org/commit/jenkins/5bad446dd51d31efd60538eab5c87bdde57114e9
          Log:
          [FIXED JENKINS-23294] Interpret X-Forwarded-Port

          • Also fixed handling of X-Forwarded-Proto and added support for X-Forwarded-Host
          • Additional complexity is that there can be multiple headers with the same name (which was handled by default by accident) and
            that a header value may contain a comma separated list if there were multiple forwarding hops.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/jenkins/model/Jenkins.java http://jenkins-ci.org/commit/jenkins/5bad446dd51d31efd60538eab5c87bdde57114e9 Log: [FIXED JENKINS-23294] Interpret X-Forwarded-Port Also fixed handling of X-Forwarded-Proto and added support for X-Forwarded-Host Additional complexity is that there can be multiple headers with the same name (which was handled by default by accident) and that a header value may contain a comma separated list if there were multiple forwarding hops.

          Code changed in jenkins
          User: Jesse Glick
          Path:
          core/src/main/java/hudson/diagnosis/ReverseProxySetupMonitor.java
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/test/java/jenkins/model/JenkinsGetRootUrlTest.java
          test/src/test/java/hudson/diagnosis/ReverseProxySetupMonitorTest.java
          http://jenkins-ci.org/commit/jenkins/cffe9df0176b0ff895554ce7f2ea4d2f20062351
          Log:
          [FIXED JENKINS-23294] Deal with X-Forwarded-Port.
          If this is set, use it instead of ServletRequest.getServerPort() for purposes of getRootUrlFromRequest().
          Also treat the default port as scheme-specific in that method (which presumes that we in fact got the reported port right).
          And enhance the reverse proxy setup monitor to validate that the Referer header (/manage)
          actually matches what we have computed from getRootUrlFromRequest;
          if it does not, something is messed up, though it may require some digging to find what.
          (Would be better to let the monitor specify the exact problem it determined,
          though this is not always actually possible;
          for example if you are missing AllowEncodedSlashes NoDecode in Apache,
          you just get a 404 from Apache without even getting to Jenkins.)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: core/src/main/java/hudson/diagnosis/ReverseProxySetupMonitor.java core/src/main/java/jenkins/model/Jenkins.java core/src/test/java/jenkins/model/JenkinsGetRootUrlTest.java test/src/test/java/hudson/diagnosis/ReverseProxySetupMonitorTest.java http://jenkins-ci.org/commit/jenkins/cffe9df0176b0ff895554ce7f2ea4d2f20062351 Log: [FIXED JENKINS-23294] Deal with X-Forwarded-Port. If this is set, use it instead of ServletRequest.getServerPort() for purposes of getRootUrlFromRequest(). Also treat the default port as scheme-specific in that method (which presumes that we in fact got the reported port right). And enhance the reverse proxy setup monitor to validate that the Referer header (/manage) actually matches what we have computed from getRootUrlFromRequest; if it does not, something is messed up, though it may require some digging to find what. (Would be better to let the monitor specify the exact problem it determined, though this is not always actually possible; for example if you are missing AllowEncodedSlashes NoDecode in Apache, you just get a 404 from Apache without even getting to Jenkins.)

          Code changed in jenkins
          User: Stephen Connolly
          Path:
          core/src/main/java/jenkins/model/Jenkins.java
          http://jenkins-ci.org/commit/jenkins/333b05e356c70e90a7a1eeab9cb7d964c00fcd02
          Log:
          [FIXED JENKINS-23294] Interpret X-Forwarded-Port

          • Also fixed handling of X-Forwarded-Proto and added support for X-Forwarded-Host
          • Additional complexity is that there can be multiple headers with the same name (which was handled by default by accident) and
            that a header value may contain a comma separated list if there were multiple forwarding hops.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/jenkins/model/Jenkins.java http://jenkins-ci.org/commit/jenkins/333b05e356c70e90a7a1eeab9cb7d964c00fcd02 Log: [FIXED JENKINS-23294] Interpret X-Forwarded-Port Also fixed handling of X-Forwarded-Proto and added support for X-Forwarded-Host Additional complexity is that there can be multiple headers with the same name (which was handled by default by accident) and that a header value may contain a comma separated list if there were multiple forwarding hops.

          Code changed in jenkins
          User: Stephen Connolly
          Path:
          core/src/main/java/hudson/diagnosis/ReverseProxySetupMonitor.java
          core/src/main/java/jenkins/model/Jenkins.java
          core/src/test/java/jenkins/model/JenkinsGetRootUrlTest.java
          test/src/main/java/org/jvnet/hudson/test/HudsonTestCase.java
          test/src/test/java/hudson/diagnosis/ReverseProxySetupMonitorTest.java
          test/src/test/java/jenkins/security/RekeySecretAdminMonitorTest.java
          http://jenkins-ci.org/commit/jenkins/a239197a8fd17e3831af36bfb9b3c90c550a9bb1
          Log:
          Merge pull request #1294 from jenkinsci/pull/1265/head

          [FIXED JENKINS-23294] Interpret X-Forwarded-Port

          Compare: https://github.com/jenkinsci/jenkins/compare/f277502a8304...a239197a8fd1

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: core/src/main/java/hudson/diagnosis/ReverseProxySetupMonitor.java core/src/main/java/jenkins/model/Jenkins.java core/src/test/java/jenkins/model/JenkinsGetRootUrlTest.java test/src/main/java/org/jvnet/hudson/test/HudsonTestCase.java test/src/test/java/hudson/diagnosis/ReverseProxySetupMonitorTest.java test/src/test/java/jenkins/security/RekeySecretAdminMonitorTest.java http://jenkins-ci.org/commit/jenkins/a239197a8fd17e3831af36bfb9b3c90c550a9bb1 Log: Merge pull request #1294 from jenkinsci/pull/1265/head [FIXED JENKINS-23294] Interpret X-Forwarded-Port Compare: https://github.com/jenkinsci/jenkins/compare/f277502a8304...a239197a8fd1

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3498
          [FIXED JENKINS-23294] Interpret X-Forwarded-Port (Revision 5bad446dd51d31efd60538eab5c87bdde57114e9)
          [FIXED JENKINS-23294] Deal with X-Forwarded-Port. (Revision cffe9df0176b0ff895554ce7f2ea4d2f20062351)

          Result = SUCCESS
          Stephen Connolly : 5bad446dd51d31efd60538eab5c87bdde57114e9
          Files :

          • core/src/main/java/jenkins/model/Jenkins.java

          Stephen Connolly : cffe9df0176b0ff895554ce7f2ea4d2f20062351
          Files :

          • core/src/test/java/jenkins/model/JenkinsGetRootUrlTest.java
          • core/src/main/java/hudson/diagnosis/ReverseProxySetupMonitor.java
          • test/src/test/java/hudson/diagnosis/ReverseProxySetupMonitorTest.java
          • core/src/main/java/jenkins/model/Jenkins.java

          dogfood added a comment - Integrated in jenkins_main_trunk #3498 [FIXED JENKINS-23294] Interpret X-Forwarded-Port (Revision 5bad446dd51d31efd60538eab5c87bdde57114e9) [FIXED JENKINS-23294] Deal with X-Forwarded-Port. (Revision cffe9df0176b0ff895554ce7f2ea4d2f20062351) Result = SUCCESS Stephen Connolly : 5bad446dd51d31efd60538eab5c87bdde57114e9 Files : core/src/main/java/jenkins/model/Jenkins.java Stephen Connolly : cffe9df0176b0ff895554ce7f2ea4d2f20062351 Files : core/src/test/java/jenkins/model/JenkinsGetRootUrlTest.java core/src/main/java/hudson/diagnosis/ReverseProxySetupMonitor.java test/src/test/java/hudson/diagnosis/ReverseProxySetupMonitorTest.java core/src/main/java/jenkins/model/Jenkins.java

          Code changed in jenkins
          User: Stephen Connolly
          Path:
          test/src/main/java/org/jvnet/hudson/test/HudsonTestCase.java
          http://jenkins-ci.org/commit/jenkins-test-harness/81ccc04db253c5e14c52c49e82416e8538fdefc6
          Log:
          Merge pull request #1294 from jenkinsci/pull/1265/head

          [FIXED JENKINS-23294] Interpret X-Forwarded-Port
          Originally-Committed-As: a239197a8fd17e3831af36bfb9b3c90c550a9bb1

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: test/src/main/java/org/jvnet/hudson/test/HudsonTestCase.java http://jenkins-ci.org/commit/jenkins-test-harness/81ccc04db253c5e14c52c49e82416e8538fdefc6 Log: Merge pull request #1294 from jenkinsci/pull/1265/head [FIXED JENKINS-23294] Interpret X-Forwarded-Port Originally-Committed-As: a239197a8fd17e3831af36bfb9b3c90c550a9bb1

            jglick Jesse Glick
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: