Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-52764

Improve crumb compatibility with Azure Application Gateway

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor Minor
    • core
    • None
    • Azure

      When Jenkins is behind an Azure Application gateway it gets the proper header for the remote user passed to it - a complete header example is below:

      POST /job/deploy-job/build?delay=0sec HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      Accept: text/javascript, text/html, application/xml, text/xml, /
      Accept-Encoding: gzip, deflate, br
      Accept-Language: en-CA,en-GB;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6
      Host: build.something
      Max-Forwards: 10
      Referer: https://build.something/job/deploy-job/
      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36
      Origin: https://build.something
      Jenkins-Crumb: 0a6b7215318cfcfea7e8be0bfd7bc1a6
      X-Prototype-Version: 1.7
      X-Requested-With: XMLHttpRequest
      DNT: 1
      X-FORWARDED-PROTO: https
      X-FORWARDED-PORT: 443
      X-ORIGINAL-HOST: build.something
      {{SEC-WEBSOCKET-EXTENSIONS: }}
      X-Original-URL: /job/deploy-job/build?delay=0sec
      X-Forwarded-For: 198.2.2.249:60769
      X-ARR-SSL: 2048|256|CN=*.something|CN=*.something
      X-ARR-LOG-ID: a5a03579-302d-494a-a2c5-089d51026283
      Content-Length: 0

      HOWEVER the remote port is also included:

      X-Forwarded-For: 198.2.2.249:60769

      and since the remote port changes with every request, the crumbs are never seen as valid.

      Jenkins should support stripping the port from the remote IP if present.

      I don't know what the Azure Application Gateway does for IPv6 since it doesn't support that yet.

      Related to (but not the same as) https://issues.jenkins-ci.org/browse/JENKINS-50767 as this is behind an Application Gateway (L7 proxy) rather than a Load Balancer.

          [JENKINS-52764] Improve crumb compatibility with Azure Application Gateway

          Michael Brown added a comment -

          note that I am not 100% sure that removing the port solves the problem since the change I made to get it working was enabling excludeClientIPFromCrumb, but I think that's a reasonable assumption

          Michael Brown added a comment - note that I am not 100% sure that removing the port solves the problem since the change I made to get it working was enabling excludeClientIPFromCrumb , but I think that's a reasonable assumption

          Daniel Beck added a comment -

          Checking 'proxy compatibility' should make this work already (as the previous comment indicates), so doesn't seem to be a big deal.

          Daniel Beck added a comment - Checking 'proxy compatibility' should make this work already (as the previous comment indicates), so doesn't seem to be a big deal.

          Michael Brown added a comment -

          Yes, it will make this work already, however knowing why something fails is useful, plus using "proxy compatibility" reduces security.

          The biggest indication around using the proxy compatibility option is when the XFF header isn't passed to Jenkins, but it is here and that left me to investigate for a lot longer around why it wasn't working when by appearances, it should have been.

          Michael Brown added a comment - Yes, it will make this work already, however knowing why something fails is useful, plus using "proxy compatibility" reduces security. The biggest indication around using the proxy compatibility option is when the XFF header isn't passed to Jenkins, but it is here and that left me to investigate for a lot longer around why it wasn't working when by appearances, it should have been.

          mike margala added a comment -

          I attempted to enable the 'proxy compatibility' but that didn't seem to work when behind an Azure Application Gateway. Has this been resolved?

          Does anyone have any other suggestions?

          mike margala added a comment - I attempted to enable the 'proxy compatibility' but that didn't seem to work when behind an Azure Application Gateway. Has this been resolved? Does anyone have any other suggestions?

            Unassigned Unassigned
            supermathie Michael Brown
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: