Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55974

"No valid crumb was included in the request" when running behind nginx (since recent update)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Major Major
    • kerberos-sso-plugin
    • None
    • Jenkins 2.163-1 on CentOS 7; Kerberos SSO plugin 1.4; nginx as reverse proxy.
    • 1.5

      This only happens when using the Kerberos SSO plugin! When I am visiting Jenkins using Firefox with a private window (meaning: Kerberos not active; login via Basic Auth instead), everything works fine.

       

      Since updating Jenkins from 2.159-1 to 2.163-1, I get the error message "No valid crumb was included in the request" on every POST request on Jenkins. Also, Jenkins warns me that my reverse proxy configuration is invalid (but again, only when using Kerberos!).

      I am pretty sure that my Nginx configuration is correct, according to the wiki. This is my configuration:

      upstream jenkins { 
        keepalive 32;
        server 127.0.0.1:8080;
      }
      
      server { 
        listen 443 ssl default_server;
        server_name jenkins.development.ems;
        ssl_certificate /root/jenkins.certs/jenkins.development.ems.chained.pem;
        ssl_certificate_key /root/jenkins.certs/jenkins.development.ems.key;
        root /data/nginx-root;
        
        #pass through headers from Jenkins which are considered invalid by Nginx
        ignore_invalid_headers off;
      
        location /jenkins {
          sendfile off;
          proxy_pass http://jenkins;
          proxy_connect_timeout 90;
          proxy_send_timeout 90;
          proxy_read_timeout 90;
          proxy_http_version 1.1;
          proxy_set_header Host $host:$server_port;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_redirect http:// https://;
          proxy_max_temp_file_size 0;
          client_max_body_size 10m;
          client_body_buffer_size 128k;
          proxy_buffering off;
          
          # Required for HTTP CLI commands in Jenkins > 2.54 
          proxy_request_buffering off; 
          
          # Clear for keepalive
          proxy_set_header Connection "";
        }
      }
      

      It seems to me that the "Jenkins-Crumb" header is not set when login through Kerberos/SSO.

       

      Workarounds:

      • Using a private browser window.
      • Disabling Kerberos/SSO in Jenkins.
      • Disabling CSRF protection in Jenkins.

       

            t_westling Tomas Westling
            christianciach Christian Ciach
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: