-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
Azure
When Jenkins is behind an Azure Application gateway it gets the proper header for the remote user passed to it - a complete header example is below:
POST /job/deploy-job/build?delay=0sec HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, /
Accept-Encoding: gzip, deflate, br
Accept-Language: en-CA,en-GB;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6
Host: build.something
Max-Forwards: 10
Referer: https://build.something/job/deploy-job/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36
Origin: https://build.something
Jenkins-Crumb: 0a6b7215318cfcfea7e8be0bfd7bc1a6
X-Prototype-Version: 1.7
X-Requested-With: XMLHttpRequest
DNT: 1
X-FORWARDED-PROTO: https
X-FORWARDED-PORT: 443
X-ORIGINAL-HOST: build.something
{{SEC-WEBSOCKET-EXTENSIONS: }}
X-Original-URL: /job/deploy-job/build?delay=0sec
X-Forwarded-For: 198.2.2.249:60769
X-ARR-SSL: 2048|256|CN=*.something|CN=*.something
X-ARR-LOG-ID: a5a03579-302d-494a-a2c5-089d51026283
Content-Length: 0
HOWEVER the remote port is also included:
X-Forwarded-For: 198.2.2.249:60769
and since the remote port changes with every request, the crumbs are never seen as valid.
Jenkins should support stripping the port from the remote IP if present.
I don't know what the Azure Application Gateway does for IPv6 since it doesn't support that yet.
Related to (but not the same as) https://issues.jenkins-ci.org/browse/JENKINS-50767 as this is behind an Application Gateway (L7 proxy) rather than a Load Balancer.
- relates to
-
-
- Resolved
-
[JENKINS-52764] Improve crumb compatibility with Azure Application Gateway
Michael Brown
created issue -
Michael Brown
made changes -
| Description |
Original:
When Jenkins is behind an Azure Application gateway it gets the proper header for the remote user passed to it - a complete header example is below: {{POST /job/deploy-job/build?delay=0sec HTTP/1.1}} {{Connection: Keep-Alive}} {{Content-Type: application/x-www-form-urlencoded; charset=UTF-8}} {{Accept: text/javascript, text/html, application/xml, text/xml, */*}} {{Accept-Encoding: gzip, deflate, br}} {{Accept-Language: en-CA,en-GB;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6}} {{Host: build.something}} {{Max-Forwards: 10}} {{Referer: [https://build.something/job/deploy-job/]}} {{User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36}} {{Origin: [https://build.something|https://build.something/]}} {{Jenkins-Crumb: 0a6b7215318cfcfea7e8be0bfd7bc1a6}} {{X-Prototype-Version: 1.7}} {{X-Requested-With: XMLHttpRequest}} {{DNT: 1}} {{X-FORWARDED-PROTO: https}} {{X-FORWARDED-PORT: 443}} {{X-ORIGINAL-HOST: build.something}} \{{SEC-WEBSOCKET-EXTENSIONS: }} {{X-Original-URL: /job/deploy-job/build?delay=0sec}} {{X-Forwarded-For: 198.2.2.249:60769}} {{X-ARR-SSL: 2048|256|CN=*.something|CN=*.something}} {{X-ARR-LOG-ID: a5a03579-302d-494a-a2c5-089d51026283}} {{Content-Length: 0}} HOWEVER the remote port is also included: {{X-Forwarded-For: 198.2.2.249:60769}} and since the remote port changes with every request, the crumbs are never seen as valid. Jenkins should support stripping the port from the remote IP if present. I don't know what the Azure Application Gateway does for IPv6 since it doesn't support that yet. Related to (but not the same as) https://issues.jenkins-ci.org/browse/JENKINS-50767 as this is behind an Application Gateway (L7 proxy) rather than a Load Balancer. |
New:
When Jenkins is behind an Azure Application gateway it gets the proper header for the remote user passed to it - a complete header example is below: {{POST /job/deploy-job/build?delay=0sec HTTP/1.1}} {{Connection: Keep-Alive}} {{Content-Type: application/x-www-form-urlencoded; charset=UTF-8}} {{Accept: text/javascript, text/html, application/xml, text/xml, */*}} {{Accept-Encoding: gzip, deflate, br}} {{Accept-Language: en-CA,en-GB;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6}} {{Host: build.something}} {{Max-Forwards: 10}} {{Referer: [https://build.something/job/deploy-job/]}} {{User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36}} {{Origin: [https://build.something|https://build.something/]}} {{Jenkins-Crumb: 0a6b7215318cfcfea7e8be0bfd7bc1a6}} {{X-Prototype-Version: 1.7}} {{X-Requested-With: XMLHttpRequest}} {{DNT: 1}} {{X-FORWARDED-PROTO: https}} {{X-FORWARDED-PORT: 443}} {{X-ORIGINAL-HOST: build.something}} \{{SEC-WEBSOCKET-EXTENSIONS: }} {{X-Original-URL: /job/deploy-job/build?delay=0sec}} {{X-Forwarded-For: 198.2.2.249:60769}} {{X-ARR-SSL: 2048|256|CN=\*.something|CN=\*.something}} {{X-ARR-LOG-ID: a5a03579-302d-494a-a2c5-089d51026283}} {{Content-Length: 0}} HOWEVER the remote port is also included: {{X-Forwarded-For: 198.2.2.249:60769}} and since the remote port changes with every request, the crumbs are never seen as valid. Jenkins should support stripping the port from the remote IP if present. I don't know what the Azure Application Gateway does for IPv6 since it doesn't support that yet. Related to (but not the same as) https://issues.jenkins-ci.org/browse/JENKINS-50767 as this is behind an Application Gateway (L7 proxy) rather than a Load Balancer. |
Michael Brown
made changes -
| Link |
New:
This issue relates to |