Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55974

"No valid crumb was included in the request" when running behind nginx (since recent update)

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Duplicate
    • kerberos-sso-plugin
    • None
    • Jenkins 2.163-1 on CentOS 7; Kerberos SSO plugin 1.4; nginx as reverse proxy.
    • 1.5

    Description

      This only happens when using the Kerberos SSO plugin! When I am visiting Jenkins using Firefox with a private window (meaning: Kerberos not active; login via Basic Auth instead), everything works fine.

       

      Since updating Jenkins from 2.159-1 to 2.163-1, I get the error message "No valid crumb was included in the request" on every POST request on Jenkins. Also, Jenkins warns me that my reverse proxy configuration is invalid (but again, only when using Kerberos!).

      I am pretty sure that my Nginx configuration is correct, according to the wiki. This is my configuration:

      upstream jenkins { 
        keepalive 32;
        server 127.0.0.1:8080;
      }
      
      server { 
        listen 443 ssl default_server;
        server_name jenkins.development.ems;
        ssl_certificate /root/jenkins.certs/jenkins.development.ems.chained.pem;
        ssl_certificate_key /root/jenkins.certs/jenkins.development.ems.key;
        root /data/nginx-root;
        
        #pass through headers from Jenkins which are considered invalid by Nginx
        ignore_invalid_headers off;
      
        location /jenkins {
          sendfile off;
          proxy_pass http://jenkins;
          proxy_connect_timeout 90;
          proxy_send_timeout 90;
          proxy_read_timeout 90;
          proxy_http_version 1.1;
          proxy_set_header Host $host:$server_port;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_redirect http:// https://;
          proxy_max_temp_file_size 0;
          client_max_body_size 10m;
          client_body_buffer_size 128k;
          proxy_buffering off;
          
          # Required for HTTP CLI commands in Jenkins > 2.54 
          proxy_request_buffering off; 
          
          # Clear for keepalive
          proxy_set_header Connection "";
        }
      }
      

      It seems to me that the "Jenkins-Crumb" header is not set when login through Kerberos/SSO.

       

      Workarounds:

      • Using a private browser window.
      • Disabling Kerberos/SSO in Jenkins.
      • Disabling CSRF protection in Jenkins.

       

      Attachments

        Issue Links

          Activity

            christianciach Christian Ciach added a comment - - edited

            Also, Blue Ocean is broken when using Kerberos SSO. I always get the "Welcome to Jenkins - It's time to create your first Pipeline."-dialog in Blue Ocean, even though there are many existing projects and pipelines. Again, Blue Ocean works fine when not using Kerberos SSO (for example by using a private browser window).

            christianciach Christian Ciach added a comment - - edited Also, Blue Ocean is broken when using Kerberos SSO. I always get the "Welcome to Jenkins - It's time to create your first Pipeline."-dialog in Blue Ocean, even though there are many existing projects and pipelines. Again, Blue Ocean works fine when not using Kerberos SSO (for example by using a private browser window).

            This is a duplicate of JENKINS-55698. The release of kerberos sso 1.5 fixed this issue for us.

            christianciach Christian Ciach added a comment - This is a duplicate of JENKINS-55698 . The release of kerberos sso 1.5 fixed this issue for us.

            People

              t_westling Tomas Westling
              christianciach Christian Ciach
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: