Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-5753

Standalone install does not work with Apache + mod_proxy_ajp + SSL

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Major Major
    • core
    • None
    • CentOS release 5.4 (Final)
      2.6.18-164.10.1.el5xen (64 bit)
      java version "1.6.0_16"
      hudson-1.347-1.1
      httpd-2.2.3-31.el5.centos.2

      I've configured hudson to only use the ajp connector using a command line similar to

      /usr/lib/jvm/java-1.6.0/bin/java -Dcom.sun.akuma.Daemon=daemonized -Djava.awt.headless=true -Xmx64m -DHUDSON_HOME=/space/hudson -jar /usr/lib/hudson/hudson.war --logfile=/var/log/hudson/hudson.log --daemon --prefix=hudson --httpPort=-1 --ajp13Port=8109 --debug=5 --handlerCountMax=10 --handlerCountMaxIdle=0
      

      I'm using the following apache configuration file

          ProxyRequests Off
          ProxyPreserveHost On
      
          <Proxy *>
              Order deny,allow
              Allow from all
          </Proxy>
      
          ProxyPass /hudson ajp://localhost:8109/hudson retry=1
          ProxyPassReverse /hudson ajp://localhost:8109/hudson
      
      

      When accessing https://host/hudson , I get a 503 error page from Apache. The apache logs contain:

      [Wed Feb 24 23:58:04 2010] [error] ajp_read_header: ajp_ilink_receive failed
      [Wed Feb 24 23:58:04 2010] [error] (120006)APR does not understand this error code: proxy: read response failed from (null) (localhost)
      

      while the winstone logs contain:

      [Winstone 2010/02/24 23:58:04] - Error within request handler thread
      java.lang.StringIndexOutOfBoundsException: String index out of range: 1065
              at java.lang.String.checkBounds(String.java:401)
              at java.lang.String.<init>(String.java:442)
              at winstone.ajp13.Ajp13IncomingPacket.readString(Ajp13IncomingPacket.java:275)
              at winstone.ajp13.Ajp13IncomingPacket.parsePacket(Ajp13IncomingPacket.java:189)
              at winstone.ajp13.Ajp13Listener.allocateRequestResponse(Ajp13Listener.java:179)
              at winstone.RequestHandlerThread.run(RequestHandlerThread.java:79)
              at java.lang.Thread.run(Thread.java:619)
      

      It's worth mentioning that this was working with Tomcat 6.0.20 , but stopped working when I tried to move over to the standalone install.

      I've tried various combinations with or without prefix, and the only one which seems to work is ajp without any prefix.

          [JENKINS-5753] Standalone install does not work with Apache + mod_proxy_ajp + SSL

          Riku added a comment -

          Do You have any plans to fix this?

          Riku added a comment - Do You have any plans to fix this?

          J.C. Hamlin added a comment -

          Having the same (or very similar) problem with SLES 11.2 and Apache 2.2.12, using HTTPS, trying to go to the Winstone AJP connector on Jenkins 1.492. Accessing the Jenkins server directly on port 8080, or through Apache on port 80 with AJP works just fine, it is only when I access it through Apache with HTTPS going to Jenkins with AJP does it fail. The error messages look identical, so I assume this is the same problem.

          [Tue Oct 15 17:48:36 2013] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips configured – resuming normal operations
          [Tue Oct 15 17:49:40 2013] [error] (70014)End of file found: ajp_ilink_receive() can't receive header
          [Tue Oct 15 17:49:40 2013] [error] ajp_read_header: ajp_ilink_receive failed
          [Tue Oct 15 17:49:40 2013] [error] (120006)APR does not understand this error code: proxy: read response failed from (null) (localhost)

          J.C. Hamlin added a comment - Having the same (or very similar) problem with SLES 11.2 and Apache 2.2.12, using HTTPS, trying to go to the Winstone AJP connector on Jenkins 1.492. Accessing the Jenkins server directly on port 8080, or through Apache on port 80 with AJP works just fine, it is only when I access it through Apache with HTTPS going to Jenkins with AJP does it fail. The error messages look identical, so I assume this is the same problem. [Tue Oct 15 17:48:36 2013] [notice] Apache/2.2.12 (Linux/SUSE) mod_ssl/2.2.12 OpenSSL/0.9.8j-fips configured – resuming normal operations [Tue Oct 15 17:49:40 2013] [error] (70014)End of file found: ajp_ilink_receive() can't receive header [Tue Oct 15 17:49:40 2013] [error] ajp_read_header: ajp_ilink_receive failed [Tue Oct 15 17:49:40 2013] [error] (120006)APR does not understand this error code: proxy: read response failed from (null) (localhost)

          J.C. Hamlin added a comment -

          With Jenkins 1.535 the problem has gone away, and it appears to be working just fine for me. I would say this issue has been addressed and should be closed. If there are other issues with AJP, they should be opened in a new JIRA ticket.

          J.C. Hamlin added a comment - With Jenkins 1.535 the problem has gone away, and it appears to be working just fine for me. I would say this issue has been addressed and should be closed. If there are other issues with AJP, they should be opened in a new JIRA ticket.

          Rocky Stone added a comment -

          Note that Jenkins 1.535 is the first version using Jetty instead of Winstone, that's what may have fixed the issue.

          Rocky Stone added a comment - Note that Jenkins 1.535 is the first version using Jetty instead of Winstone, that's what may have fixed the issue.

          Felix Buenemann added a comment - - edited

          I was getting 500 Internal Server errors on the j_acegi_security_check page in jenkins 1.558 directly after login when using AJP with Apache 2.2.22 and mod_proxy_ajp on Debian Wheezy. The error logged by jenkins:

           
          WARNING: AJP13 message type ({PING}: 0 ) not supported/recognized as an AJP request
          May 7, 2014 2:15:08 AM org.eclipse.jetty.util.log.JavaUtilLog warn
          WARNING: handle failed?
          java.lang.IllegalStateException: PING is not implemented
                  at org.eclipse.jetty.ajp.Ajp13Parser.parseNext(Ajp13Parser.java:335)
                  at org.eclipse.jetty.ajp.Ajp13Parser.parseAvailable(Ajp13Parser.java:158)
                  at org.eclipse.jetty.server.BlockingHttpConnection.handle(BlockingHttpConnection.java:72)
                  at org.eclipse.jetty.server.bio.SocketConnector$ConnectorEndPoint.run(SocketConnector.java:264)
                  at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
                  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
                  at java.lang.Thread.run(Thread.java:679)
          

          Apache Error Log:

          [error] (70014)End of file found: ajp_ilink_receive() can't receive header
          [error] ajp_read_header: ajp_ilink_receive failed
          [error] (120006)APR does not understand this error code: proxy: dialog to 127.0.0.1:8009 (localhost) failed
          

          I solved it by switching to HTTP.

          Relevant config:

           
          AllowEncodedSlashes NoDecode
          ProxyPass / http://localhost:8080/ nocanon retry=0
          ProxyPassReverse / http://localhost:8080/
          # Causes error "PING is not implemented" in jetty ajp implementation
          # ProxyPass / ajp://localhost:8009/ nocanon retry=0
          # ProxyPassReverse / ajp://localhost:8009/
          

          Felix Buenemann added a comment - - edited I was getting 500 Internal Server errors on the j_acegi_security_check page in jenkins 1.558 directly after login when using AJP with Apache 2.2.22 and mod_proxy_ajp on Debian Wheezy. The error logged by jenkins: WARNING: AJP13 message type ({PING}: 0 ) not supported/recognized as an AJP request May 7, 2014 2:15:08 AM org.eclipse.jetty.util.log.JavaUtilLog warn WARNING: handle failed? java.lang.IllegalStateException: PING is not implemented at org.eclipse.jetty.ajp.Ajp13Parser.parseNext(Ajp13Parser.java:335) at org.eclipse.jetty.ajp.Ajp13Parser.parseAvailable(Ajp13Parser.java:158) at org.eclipse.jetty.server.BlockingHttpConnection.handle(BlockingHttpConnection.java:72) at org.eclipse.jetty.server.bio.SocketConnector$ConnectorEndPoint.run(SocketConnector.java:264) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:679) Apache Error Log: [error] (70014)End of file found: ajp_ilink_receive() can't receive header [error] ajp_read_header: ajp_ilink_receive failed [error] (120006)APR does not understand this error code: proxy: dialog to 127.0.0.1:8009 (localhost) failed I solved it by switching to HTTP. Relevant config: AllowEncodedSlashes NoDecode ProxyPass / http://localhost:8080/ nocanon retry=0 ProxyPassReverse / http://localhost:8080/ # Causes error "PING is not implemented" in jetty ajp implementation # ProxyPass / ajp://localhost:8009/ nocanon retry=0 # ProxyPassReverse / ajp://localhost:8009/

          Daniel Beck added a comment -

          Has this issue been fixed as a side effect of the switch to Jetty in 1.535? Anyone else experience Felix's problem?

          Daniel Beck added a comment - Has this issue been fixed as a side effect of the switch to Jetty in 1.535? Anyone else experience Felix's problem?

          I was already on 1.558 when I experienced the issue, as mentioned in the previous comment. I haven't tried using AJP since then.

          Felix Buenemann added a comment - I was already on 1.558 when I experienced the issue, as mentioned in the previous comment. I haven't tried using AJP since then.

          Daniel Beck added a comment -

          Jenkins 2.0 upgraded the embedded Jetty-Winstone to Jetty 9, which no longer has AJP support, making this issue obsolete.

          Daniel Beck added a comment - Jenkins 2.0 upgraded the embedded Jetty-Winstone to Jetty 9, which no longer has AJP support, making this issue obsolete.

          mirabilos added a comment -

          You mean “breaks AJP setups completely”, right?

          There’s a reason we don’t proxy HTTP in the normal case.

          mirabilos added a comment - You mean “breaks AJP setups completely”, right? There’s a reason we don’t proxy HTTP in the normal case.

          Daniel Beck added a comment -

          You mean “breaks AJP setups completely”, right?

          Yes. We have no control over features implemented in upstream. If you want/need AJP, you can always use a different container.

          Daniel Beck added a comment - You mean “breaks AJP setups completely”, right? Yes. We have no control over features implemented in upstream. If you want/need AJP, you can always use a different container.

            Unassigned Unassigned
            rombert Robert Munteanu
            Votes:
            16 Vote for this issue
            Watchers:
            26 Start watching this issue

              Created:
              Updated:
              Resolved: