-
Bug
-
Resolution: Fixed
-
Major
-
Jenkins: 2.205, Jenkins LTS 2.204.3 and 2.204.4
Winstone 5.5 to 5.8
Apache 2.4.41 as reverse proxy
-
-
Jenkins 2.204.5, Jenkins 2.224, Winstone 5.4.3, Winstone 5.9
After the upgrade from 2.204 to 2.205 jenkins redirects to http(s)://127.0.0.1/ after login.
Workaround: For Apache: set "ProxyPreserveHost On" as documented in https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Apache
*Jenkins LTS Notice*: Jenkins LTS 2.204.3 and 2.204.4 are also affected due to the Winstone upgrade which was introduced as a part of the JENKINS-57888 fix backporting. Please see https://groups.google.com/forum/#!topic/jenkinsci-dev/M_RtDuDXtbU for the discussion and retrospective
- is duplicated by
-
JENKINS-61328 JENKINS_URL being ignored. Defaulting to localhost
-
- Closed
-
Hi markewaite, I've been able to isolate the problem. Consider the two following commands, which differ only in the ordering of the X-Forwarded-Port and X-Forwarded-Host headers.
-H "Host: jenkins.example.com" \
-H "X-Forwarded-Port: 80" \
-H "X-Forwarded-Host: localhost" -o/dev/null \
2>/dev/null; echo
-H "Host: jenkins.example.com" \
-H "X-Forwarded-Host: localhost" \
-H "X-Forwarded-Port: 80" -o/dev/null \
2>/dev/null; echo
I ran these commands within docker containers based on various different Jenkins base-images, and observed the following behaviors:
Command 1: http://localhost/whoAmI/
Command 2: http://localhost/whoAmI/
Command 1: http://jenkins.example.com/whoAmI/
Command 2: http://localhost/whoAmI/
Command 1: http://jenkins.example.com/whoAmI/
Command 2: http://localhost/whoAmI/
So if I'm interpreting this right, it seems that the host used for Jenkins redirections is dependent on the ordering of the X-Forwarded-Port and X-Forwarded-Host headers, beginning in Jenkins 2.205+ and Jenkins 2.204.3+ for LTS. If I had to guess, this is probably due to changes made to the ForwardedRequestCustomizer class in Jetty, which were picked up in the move to Winstone 5.7. Maybe a bug in handlePort()?
To answer your previous question regarding "ProxyPreserveHost On", I am not behind an Apache reverse proxy (we use https://github.com/buzzfeed/sso), so this isn't directly relevant to me.