Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52367

Configuration of reverse proxy allegedly broken after update to 2.121.1

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Minor Minor
    • core

      Hey,

      I have recently updated Jenkins from version 2.73.3 to 2.121.1 and I am now encountering an error message about our reverse proxy configuration being broken. Regardless of the warning, everything is working fine so far. I didn't change anything besides swapping the jenkins.war and updating some plugins.

      I have tried everything from this wiki page:

      • Jenkins URL configured in the System Configuration matches the URL we're using to access Jenkins
      • set X-Forwarded-Proto header but it didn't help
      • running the cURL script lead to a 400 Bad Request

      I also checked similiar JIRA-issues but unfortunately couldn't find anything applicable.

      Any other idea? FYI we're running Jenkins in a Tomcat 8 Container behind a F5 load balancer.

      Kind regards,
      Robin

          [JENKINS-52367] Configuration of reverse proxy allegedly broken after update to 2.121.1

          Oleg Nenashev added a comment -

          Oleg Nenashev added a comment - CC wfollonier

          Daniel Beck added a comment -

          Create a logger for hudson.diagnosis.ReverseProxySetupMonitor on level FINE and navigate to /manage as an admin, then check log output.

          https://wiki.jenkins.io/display/JENKINS/Logging

           

          Daniel Beck added a comment - Create a logger for hudson.diagnosis.ReverseProxySetupMonitor on level FINE and navigate to /manage as an admin, then check log output. https://wiki.jenkins.io/display/JENKINS/Logging  

          Daniel Beck added a comment -

          Daniel Beck added a comment - Tomcat 8 Container ALLOW_ENCODED_SLASH? https://wiki.jenkins.io/display/JENKINS/Tomcat#Tomcat-Requirements

          Robin Zergiebel added a comment - - edited

          Create a logger for hudson.diagnosis.ReverseProxySetupMonitor on level FINE and navigate to /manage as an admin, then check log output.
          https://wiki.jenkins.io/display/JENKINS/Logging

          Result of this is:

          coming from https://<alias>/jenkins/manage and redirecting to https://<alias>/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/<alias>%2Fjenkins%2Fmanage/

          Robin Zergiebel added a comment - - edited Create a logger for hudson.diagnosis.ReverseProxySetupMonitor on level FINE and navigate to /manage as an admin, then check log output. https://wiki.jenkins.io/display/JENKINS/Logging Result of this is: coming from https://<alias>/jenkins/manage and redirecting to https://<alias>/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/<alias>%2Fjenkins%2Fmanage/

          ALLOW_ENCODED_SLASH? https://wiki.jenkins.io/display/JENKINS/Tomcat#Tomcat-Requirements

          I tried setting this to true as a java system property but unfortunately it didn't change anything .

          Robin Zergiebel added a comment - ALLOW_ENCODED_SLASH? https://wiki.jenkins.io/display/JENKINS/Tomcat#Tomcat-Requirements I tried setting this to true as a java system property but unfortunately it didn't change anything .

          Regarding the current situation:

          I have added the java system property "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true".
          The log for hudson.diagnosis.ReverseProxySetupMonitor changed to:

          Jul 12, 2018 2:48:42 PM FINE hudson.diagnosis.ReverseProxySetupMonitor doTest
          coming from https://<alias>/jenkins/manage and redirecting to https://<alias>/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2F<alias>%2Fjenkins%2Fmanage/

          Jul 12, 2018 2:48:42 PM WARNING hudson.diagnosis.ReverseProxySetupMonitor getTestForReverseProxySetup
          http://<alias>/jenkins/manage vs. https:/<alias>/jenkins/manage

          FYI, we're accessing our F5 load balancer via https who then accesses our server via http (SSL termination).

          For testing purposes I changed the Jenkins Location URL to http://<machine name>:8080/jenkins and accessed http://<machine name>:8080/jenkins/manage and the error message was gone. This however is obviously not optimal since we want to access our application via https.

          Robin Zergiebel added a comment - Regarding the current situation: I have added the java system property "-Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true". The log for hudson.diagnosis.ReverseProxySetupMonitor changed to: Jul 12, 2018 2:48:42 PM FINE hudson.diagnosis.ReverseProxySetupMonitor doTest coming from https://<alias>/jenkins/manage and redirecting to https://<alias>/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2F<alias>%2Fjenkins%2Fmanage/ Jul 12, 2018 2:48:42 PM WARNING hudson.diagnosis.ReverseProxySetupMonitor getTestForReverseProxySetup http ://<alias>/jenkins/manage vs. https:/<alias>/jenkins/manage FYI, we're accessing our F5 load balancer via https who then accesses our server via http (SSL termination). For testing purposes I changed the Jenkins Location URL to http://<machine name>:8080/jenkins and accessed http://<machine name>:8080/jenkins/manage and the error message was gone. This however is obviously not optimal since we want to access our application via https.

          Daniel Beck added a comment -

          Set X-Forwarded-Proto in the reverse proxy so Jenkins knows it's HTTPS.

          Daniel Beck added a comment - Set X-Forwarded-Proto in the reverse proxy so Jenkins knows it's HTTPS.

          Robin Zergiebel added a comment - - edited

          Hey Daniel,

          to fix the issue we had to do 2 things

          • set
            -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
            

            in the java system properties of our Tomcat 8

          • configure our F5 load balancer as follows:
            when HTTP_REQUEST {
                if {[HTTP::header exists X-Forwarded-Proto]} {
                    HTTP::header replace X-Forwarded-Proto "https"
                } else {
                    HTTP::header insert X-Forwarded-Proto "https"
                }
                if {[HTTP::header exists X-Forwarded-Port]} {
                    HTTP::header replace X-Forwarded-Port "443"
                } else {
                    HTTP::header insert X-Forwarded-Port "443"
                }
            } 
            

          Now the error message is finally gone.
          Thank you for your help!

          Kind regards,
          Robin

          Robin Zergiebel added a comment - - edited Hey Daniel, to fix the issue we had to do 2 things set -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH= true in the java system properties of our Tomcat 8 configure our F5 load balancer as follows: when HTTP_REQUEST { if {[HTTP::header exists X-Forwarded-Proto]} { HTTP::header replace X-Forwarded-Proto "https" } else { HTTP::header insert X-Forwarded-Proto "https" } if {[HTTP::header exists X-Forwarded-Port]} { HTTP::header replace X-Forwarded-Port "443" } else { HTTP::header insert X-Forwarded-Port "443" } } Now the error message is finally gone. Thank you for your help! Kind regards, Robin

            Unassigned Unassigned
            robco Robin Zergiebel
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: