Details
-
Bug
-
Status: Resolved (View Workflow)
-
Minor
-
Resolution: Not A Defect
-
None
-
OS: SuSE Linux Enterprise Server 11 SP3 x86_64
Apache Tomcat 6.0.37
Reverse proxy: Apache Web Server 2.2.12 Release 1.40.1
Description
After upgrading Jenkins from 1.551 to 1.552, the Manage Jenkins screen has the message "It appears that your reverse proxy set up is broken." The reverse proxy configuration has been correctly working before the upgrade.
The test URI
/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test
is redirecting to
/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/a%2Fb/
which is giving a 404 error.
In previous versions of Jenkins, it redirected to
/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test-for-reverse-proxy-setup
which returned 200 OK.
I am using Apache Web Server with mod_proxy_ajp as a reverse proxy in front of the Tomcat serving Jenkins.
Attachments
Activity
Not a defect, valid Apache reverse proxy configuration posted in earlier comment.
Christian Hofstaedtler
added a comment - For nginx, the config change apparently is as follows: (plus this needs nginx 1.1.12 or newer)
Bad config:
proxy_pass http://127.0.0.1:9000/;
Good config:
proxy_pass http://127.0.0.1:9000;
(Note the removed trailing slash.)
This is documented behaviour in nginx, but not really obvious.
Christian Hofstaedtler
added a comment - For nginx, the config change apparently is as follows: (plus this needs nginx 1.1.12 or newer)
Bad config:
proxy_pass http: //127.0.0.1:9000/;
Good config:
proxy_pass http: //127.0.0.1:9000;
(Note the removed trailing slash.)
This is documented behaviour in nginx, but not really obvious. 
Townsend Duong
added a comment - Thanks for the update and sample configuration. The NoDecode value is not available in the Apache version in SLES11SP3, but I confirmed that it solves the problem if I use a newer version of Apache.
Townsend Duong
added a comment - Thanks for the update and sample configuration. The NoDecode value is not available in the Apache version in SLES11SP3, but I confirmed that it solves the problem if I use a newer version of Apache. 
jpschewe
added a comment - I've got Apache 2.2.22 with the config below and I'm getting the error from Jenkins that my reverse proxy isn't setup properly. Accessing the instance directly does not show the error.
ProxyPass /jenkins/ http://localhost:8042/jenkins/ nocanon ProxyPassReverse /jenkins/ http://localhost:8042/jenkins/ ProxyRequests Off AllowEncodedSlashes NoDecode # Local reverse proxy authorization override # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) <Proxy http://localhost:8042/jenkins> Order deny,allow Allow from all </Proxy>
jpschewe
added a comment - I've got Apache 2.2.22 with the config below and I'm getting the error from Jenkins that my reverse proxy isn't setup properly. Accessing the instance directly does not show the error.
ProxyPass /jenkins/ http://localhost:8042/jenkins/ nocanon
ProxyPassReverse /jenkins/ http://localhost:8042/jenkins/
ProxyRequests Off
AllowEncodedSlashes NoDecode
# Local reverse proxy authorization override
# Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
<Proxy http://localhost:8042/jenkins>
Order deny,allow
Allow from all
</Proxy>
Here's a great test case: Access Jenkins directly, not through the reverse proxy. If it works without this message showing up, your reverse proxy is broken.
If you use Apache as reverse proxy, it needs to be at least 2.2.18 and set the option AllowEncodedSlashes NoDecode (earlier versions only have values On and Off, both of which are wrong); as well as nocanon in the ProxyPass directive.
Both need to be set within the VirtualHost, as AllowEncodedSlashes isn't inherited.
Example:
<VirtualHost *:80> AllowEncodedSlashes NoDecode ServerName build.example.org ProxyPass / http://localhost:8080/ nocanon ProxyPassReverse / http://localhost:8080/ ProxyRequests Off </VirtualHost>