Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50767

Control initial crumb issuer proxy compatibility value

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • None

      The Jenkins Setup Wizard enables the CSRF protection.
      By default, this takes into account the client IP.

      In some setups involving reverse proxies, the client IP seen by Jenkins is not the real client IP, but the IP of the reverse proxy. Sometimes, it is due to incorrect reverse proxy configuration, but in some other cases, it is a limitation that cannot be overcome.

      Examples:

      • Azure Load Balancer is a Layer 4 load balancer (TCP). The IP Jenkins sees is the internal IP of the load balancer. Since it is pooled, this IP can change from request to request and cause crumb error.
      • AWS ELB using TCP listener (Layer 4): same problem.

      Note: on AWS, it is possible to use a HTTP listener and it will set the http header X-Forwarded-For containing the real client IP and Jenkins doesn't need proxy compatibility. For https deployment you have to terminate the SSL connection at the ELB level, which is not the case when using the Layer 4 Load balancer.

      This default setttings can then cause problems (invalid crumb errors) when using the default setup.

      The goal of this issue is to provide a way to enable or disable the initial state on startup using a system property.

      e.g. -Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true will enable Proxy Compatibility on first startup.

          [JENKINS-50767] Control initial crumb issuer proxy compatibility value

          Vincent Latombe created issue -
          Vincent Latombe made changes -
          Assignee New: Vincent Latombe [ vlatombe ]
          Vincent Latombe made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Vincent Latombe made changes -
          Remote Link New: This issue links to "PR #3389 (Web Link)" [ 20428 ]
          Vincent Latombe made changes -
          Status Original: In Progress [ 3 ] New: In Review [ 10005 ]
          Vincent Latombe made changes -
          Description Original: The Jenkins Setup Wizard enables the CSRF protection.
          By default, this takes into account the client IP.

          In some setups involving reverse proxies, the client IP seen by Jenkins is not the real client IP, but the IP of the reverse proxy. Sometimes, it is due to incorrect reverse proxy configuration, but in some other cases, it is a limitation that cannot be overcome.

          This default setttings can then cause problems (invalid crumb errors) when using the default setup.

          The goal of this issue is to provide a way to enable or disable the initial state on startup using a system property.

          e.g. {{-Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true}} will enable Proxy Compatibility on first startup.

          New: The Jenkins Setup Wizard enables the CSRF protection.
          By default, this takes into account the client IP.

          In some setups involving reverse proxies, the client IP seen by Jenkins is not the real client IP, but the IP of the reverse proxy. Sometimes, it is due to incorrect reverse proxy configuration, but in some other cases, it is a limitation that cannot be overcome.

          Examples:
          * Azure Load Balancer is a Layer 4 load balancer (TCP). The IP Jenkins sees is the internal IP of the load balancer. Since it is pooled, this IP can change from request to request and cause crumb error.
          * AWS ELB using TCP listener (Layer 4): same problem.

          Note: on AWS, it is possible to use a HTTP listener and it will set the http header X-Forwarded-For containing the real client IP and Jenkins doesn't need proxy compatibility

          This default setttings can then cause problems (invalid crumb errors) when using the default setup.

          The goal of this issue is to provide a way to enable or disable the initial state on startup using a system property.

          e.g. {{-Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true}} will enable Proxy Compatibility on first startup.

          Vincent Latombe made changes -
          Description Original: The Jenkins Setup Wizard enables the CSRF protection.
          By default, this takes into account the client IP.

          In some setups involving reverse proxies, the client IP seen by Jenkins is not the real client IP, but the IP of the reverse proxy. Sometimes, it is due to incorrect reverse proxy configuration, but in some other cases, it is a limitation that cannot be overcome.

          Examples:
          * Azure Load Balancer is a Layer 4 load balancer (TCP). The IP Jenkins sees is the internal IP of the load balancer. Since it is pooled, this IP can change from request to request and cause crumb error.
          * AWS ELB using TCP listener (Layer 4): same problem.

          Note: on AWS, it is possible to use a HTTP listener and it will set the http header X-Forwarded-For containing the real client IP and Jenkins doesn't need proxy compatibility

          This default setttings can then cause problems (invalid crumb errors) when using the default setup.

          The goal of this issue is to provide a way to enable or disable the initial state on startup using a system property.

          e.g. {{-Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true}} will enable Proxy Compatibility on first startup.

          New: The Jenkins Setup Wizard enables the CSRF protection.
          By default, this takes into account the client IP.

          In some setups involving reverse proxies, the client IP seen by Jenkins is not the real client IP, but the IP of the reverse proxy. Sometimes, it is due to incorrect reverse proxy configuration, but in some other cases, it is a limitation that cannot be overcome.

          Examples:
          * Azure Load Balancer is a Layer 4 load balancer (TCP). The IP Jenkins sees is the internal IP of the load balancer. Since it is pooled, this IP can change from request to request and cause crumb error.
          * AWS ELB using TCP listener (Layer 4): same problem.

          Note: on AWS, it is possible to use a HTTP listener and it will set the http header X-Forwarded-For containing the real client IP and Jenkins doesn't need proxy compatibility. For https deployment you have to terminate the SSL connection at the ELB level, which is not the case when using the Layer 4 Load balancer.

          This default setttings can then cause problems (invalid crumb errors) when using the default setup.

          The goal of this issue is to provide a way to enable or disable the initial state on startup using a system property.

          e.g. {{-Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true}} will enable Proxy Compatibility on first startup.

          Vincent Latombe made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Review [ 10005 ] New: Resolved [ 5 ]
          Michael Brown made changes -
          Link New: This issue relates to JENKINS-52764 [ JENKINS-52764 ]

            vlatombe Vincent Latombe
            vlatombe Vincent Latombe
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: