Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60199

jenkins 2.205 behind reverse proxy redirects to 127.0.0.1 after login

    • Jenkins 2.204.5, Jenkins 2.224, Winstone 5.4.3, Winstone 5.9

      After the upgrade from 2.204 to 2.205 jenkins redirects to http(s)://127.0.0.1/ after login.

       Workaround: For Apache: set "ProxyPreserveHost On" as documented in https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Apache

      *Jenkins LTS Notice*: Jenkins LTS 2.204.3 and 2.204.4 are also affected due to the Winstone upgrade which was introduced as a part of the JENKINS-57888 fix backporting. Please see https://groups.google.com/forum/#!topic/jenkinsci-dev/M_RtDuDXtbU for the discussion and retrospective

          [JENKINS-60199] jenkins 2.205 behind reverse proxy redirects to 127.0.0.1 after login

          olli hauer created issue -

          Mark Waite added a comment -

          olamy is this likely a result of the upgrade to Jetty 9.4.22?

          Mark Waite added a comment - olamy is this likely a result of the upgrade to Jetty 9.4.22 ?

          Olivier Lamy added a comment - - edited

          ohauer Is it possible to have more details about the reverse proxy? (version, configuration entry)

          markewaite yes maybe...

          Olivier Lamy added a comment - - edited ohauer Is it possible to have more details about the reverse proxy? (version, configuration entry) markewaite yes maybe...

          Mark Waite added a comment -

          olamy I successfully created an Apache reverse proxy configuration on Debian 10 installing the apache package for Debian and the jenkins 2.205 package for Debian. Then I configured the Apache installation per the directions at https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Apache . I can't duplicate the problem.

          ohauer can you provide configuration information that will allow another person to see the same issue?

          Mark Waite added a comment - olamy I successfully created an Apache reverse proxy configuration on Debian 10 installing the apache package for Debian and the jenkins 2.205 package for Debian. Then I configured the Apache installation per the directions at https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Apache . I can't duplicate the problem. ohauer can you provide configuration information that will allow another person to see the same issue?

          olli hauer added a comment -

          Sure, here are the parts from my Jenkins config:

          Jenkins parameters:
          --httpPort=8180 --httpListenAddress=127.0.0.1 --prefix=/jenkins -Dhudson.DNSMultiCast.disabled=true -Djava.net.preferIPv6Addresses=false

          Jenkins (tab) configure:
          Jenkins Location

          Relevant part from apache 2.4.41:

          ProxyRequests Off
          AllowEncodedSlashes NoDecode

          RewriteRule ^(/jenkins)$ $1/ [R=301,L]

          <Location /jenkins>
          ProxyPass http://127.0.0.1:8180/jenkins nocanon
          ProxyPassReverse http://127.0.0.1:8180/jenkins
          RequestHeader set X-Forwarded-Proto "https"
          RequestHeader set X-Forwarded-Port "443"
          RequestHeader set X-Forwarded-Host "fqdn.host.name"
          </Location>

           

          olli hauer added a comment - Sure, here are the parts from my Jenkins config: Jenkins parameters: --httpPort=8180 --httpListenAddress=127.0.0.1 --prefix=/jenkins -Dhudson.DNSMultiCast.disabled=true -Djava.net.preferIPv6Addresses=false Jenkins (tab) configure: Jenkins Location Jenkins URL: https://fqdn.host.name/jenkins Relevant part from apache 2.4.41: ProxyRequests Off AllowEncodedSlashes NoDecode RewriteRule ^(/jenkins)$ $1/ [R=301,L] <Location /jenkins> ProxyPass http://127.0.0.1:8180/jenkins nocanon ProxyPassReverse http://127.0.0.1:8180/jenkins RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" RequestHeader set X-Forwarded-Host "fqdn.host.name" </Location>  

          olli hauer added a comment - - edited

          Perhaps a hint, the Apache is TLS only.

          I've tried to analyze what happens the time I press the sign in button with chrome see trace below.

           

          2.205 (broken)
          j_acegi_security_check:

          General:
          Request URL: https://fqdn.host.name/jenkins/j_acegi_security_check
          Request Method: POST
          Status Code: 302 Found
          Remote Address: IP.AD.DR.ES:443
          Referrer Policy: no-referrer-when-downgrade

          Response Header:
          Connection: Keep-Alive
          Content-Length: 0
          Date: Wed, 20 Nov 2019 09:33:02 GMT
          Expires: Thu, 01 Jan 1970 00:00:00 GMT
          Keep-Alive: timeout=5, max=100
          Location: https://127.0.0.1/jenkins/
          Server: Jetty(9.4.22.v20191022)
          Set-Cookie: JSESSIONID.10db730a=node0173jclauyomxaxlnl8x11eypy2.node0; Path=/jenkins; Secure; HttpOnly
          X-Content-Type-Options: nosniff

          Request Header:
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
          Accept-Encoding: gzip, deflate, br
          Accept-Language: en-US,en;q=0.9,de;q=0.8
          Cache-Control: max-age=0
          Connection: keep-alive
          Content-Length: 71
          Content-Type: application/x-www-form-urlencoded
          Cookie: JSESSIONID.c0515192=node09fh3q2bodtxf6wgyy85sirkm7.node0; JSESSIONID.10db730a=node01pf20r2evzrjn7h09d2m3bk201.node0; screenResolution=1920x1200
          DNT: 1
          Host: fqdn.host.name
          Origin: https://fqdn.host.name
          Referer: https://fqdn.host.name/jenkins/login?from=%2Fjenkins%2F
          Sec-Fetch-Mode: navigate
          Sec-Fetch-Site: same-origin
          Sec-Fetch-User: ?1
          Upgrade-Insecure-Requests: 1
          User-Agent: Mozilla/5.0 ...
          j_username: username
          j_password: password
          from: /jenkins/
          Submit: Sign in

           

          and with 2.204 (OK)
          j_acegi_security_check:

          General:
          Request URL: https://fqdn.host.name/jenkins/j_acegi_security_check
          Request Method: POST
          Status Code: 302 Found
          Remote Address: IP.AD.DR.ES:443
          Referrer Policy: no-referrer-when-downgrade

          Response Header:
          Connection: Keep-Alive
          Content-Length: 0
          Date: Wed, 20 Nov 2019 09:47:27 GMT
          Expires: Thu, 01 Jan 1970 00:00:00 GMT
          Keep-Alive: timeout=5, max=100
          Location: https://fqdn.host.name/jenkins/
          Server: Jetty(9.4.z-SNAPSHOT)
          Set-Cookie: JSESSIONID.e3d4d209=node01eapoart737kjzv2n9r5jqf6n1.node0;Path=/jenkins;Secure;HttpOnly
          X-Content-Type-Options: nosniff

          Request Header:
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
          Accept-Encoding: gzip, deflate, br
          Accept-Language: en-US,en;q=0.9,de;q=0.8
          Cache-Control: max-age=0
          Connection: keep-alive
          Content-Length: 71
          Content-Type: application/x-www-form-urlencoded
          Cookie: JSESSIONID.e3d4d209=node01deci271w2led1hqp8smatfa2j0.node0; screenResolution=1920x1200
          DNT: 1
          Host: fqdn.host.name
          Origin: https://fqdn.host.name
          Referer: https://fqdn.host.name/jenkins/login?from=%2Fjenkins%2F
          Sec-Fetch-Mode: navigate
          Sec-Fetch-Site: same-origin
          Sec-Fetch-User: ?1
          Upgrade-Insecure-Requests: 1
          User-Agent: Mozilla/5.0 ...
          j_username: username
          j_password: password
          from: /jenkins/
          Submit: Sign in

           

          olli hauer added a comment - - edited Perhaps a hint, the Apache is TLS only. I've tried to analyze what happens the time I press the sign in button with chrome see trace below.   2.205 (broken) j_acegi_security_check: General: Request URL: https://fqdn.host.name/jenkins/j_acegi_security_check Request Method: POST Status Code: 302 Found Remote Address: IP.AD.DR.ES:443 Referrer Policy: no-referrer-when-downgrade Response Header: Connection: Keep-Alive Content-Length: 0 Date: Wed, 20 Nov 2019 09:33:02 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT Keep-Alive: timeout=5, max=100 Location: https://127.0.0.1/jenkins/ Server: Jetty(9.4.22.v20191022) Set-Cookie: JSESSIONID.10db730a=node0173jclauyomxaxlnl8x11eypy2.node0; Path=/jenkins; Secure; HttpOnly X-Content-Type-Options: nosniff Request Header: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng, / ;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,de;q=0.8 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 71 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID.c0515192=node09fh3q2bodtxf6wgyy85sirkm7.node0; JSESSIONID.10db730a=node01pf20r2evzrjn7h09d2m3bk201.node0; screenResolution=1920x1200 DNT: 1 Host: fqdn.host.name Origin: https://fqdn.host.name Referer: https://fqdn.host.name/jenkins/login?from=%2Fjenkins%2F Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 ... j_username: username j_password: password from: /jenkins/ Submit: Sign in   and with 2.204 (OK) j_acegi_security_check: General: Request URL: https://fqdn.host.name/jenkins/j_acegi_security_check Request Method: POST Status Code: 302 Found Remote Address: IP.AD.DR.ES:443 Referrer Policy: no-referrer-when-downgrade Response Header: Connection: Keep-Alive Content-Length: 0 Date: Wed, 20 Nov 2019 09:47:27 GMT Expires: Thu, 01 Jan 1970 00:00:00 GMT Keep-Alive: timeout=5, max=100 Location: https://fqdn.host.name/jenkins/ Server : Jetty(9.4.z-SNAPSHOT) Set-Cookie: JSESSIONID.e3d4d209=node01eapoart737kjzv2n9r5jqf6n1.node0;Path=/jenkins;Secure;HttpOnly X-Content-Type-Options: nosniff Request Header: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng, / ;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9,de;q=0.8 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 71 Content-Type: application/x-www-form-urlencoded Cookie: JSESSIONID.e3d4d209=node01deci271w2led1hqp8smatfa2j0.node0; screenResolution=1920x1200 DNT: 1 Host: fqdn.host.name Origin: https://fqdn.host.name Referer: https://fqdn.host.name/jenkins/login?from=%2Fjenkins%2F Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 ... j_username: username j_password: password from: /jenkins/ Submit: Sign in  

          Rob Munten added a comment -

          Hi ohauer,

          Add the following line to your apache conf.

          ProxyPreserveHost On

          This fixed the issue in my case.

          Rob Munten added a comment - Hi ohauer , Add the following line to your apache conf. ProxyPreserveHost On This fixed the issue in my case.

          Oleg Nenashev added a comment -

          markewaite  ohauer looks like we need to add upgrade guidelines for this regression to the weekly changelog (summary banner for reverse proxy users?). AFAICT it also discourages selecting 2.205 s the new LTS baseline, needs more soak testing for other possible regressions

          Oleg Nenashev added a comment - markewaite   ohauer looks like we need to add upgrade guidelines for this regression to the weekly changelog (summary banner for reverse proxy users?). AFAICT it also discourages selecting 2.205 s the new LTS baseline, needs more soak testing for other possible regressions

          Daniel Beck added a comment -

          I wonder whether this would be an instance that previously showed an administrative warnings about a bad reverse proxy configuration on /manage.

          If so, wouldn't care that much.

          Daniel Beck added a comment - I wonder whether this would be an instance that previously showed an administrative warnings about a bad reverse proxy configuration on /manage . If so, wouldn't care that much.

          Jesse Glick added a comment -

          Would really need to see what headers were sent to/from Jenkins by Apache to see if Jetty if behaving improperly here. Is there a simple way to reproduce from scratch, for example using this?

          Jesse Glick added a comment - Would really need to see what headers were sent to/from Jenkins by Apache to see if Jetty if behaving improperly here. Is there a simple way to reproduce from scratch , for example using this ?

            oleg_nenashev Oleg Nenashev
            ohauer olli hauer
            Votes:
            4 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: