The Jenkins Setup Wizard enables the CSRF protection.
By default, this takes into account the client IP.
In some setups involving reverse proxies, the client IP seen by Jenkins is not the real client IP, but the IP of the reverse proxy. Sometimes, it is due to incorrect reverse proxy configuration, but in some other cases, it is a limitation that cannot be overcome.
- Azure Load Balancer is a Layer 4 load balancer (TCP). The IP Jenkins sees is the internal IP of the load balancer. Since it is pooled, this IP can change from request to request and cause crumb error.
- AWS ELB using TCP listener (Layer 4): same problem.
Note: on AWS, it is possible to use a HTTP listener and it will set the http header X-Forwarded-For containing the real client IP and Jenkins doesn't need proxy compatibility. For https deployment you have to terminate the SSL connection at the ELB level, which is not the case when using the Layer 4 Load balancer.
This default setttings can then cause problems (invalid crumb errors) when using the default setup.
The goal of this issue is to provide a way to enable or disable the initial state on startup using a system property.
e.g. -Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true will enable Proxy Compatibility on first startup.