Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-21989

ReverseProxySetupMonitor broken in Jenkins release 1.552

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Minor
    • Resolution: Not A Defect
    • core
    • None
    • OS: SuSE Linux Enterprise Server 11 SP3 x86_64
      Apache Tomcat 6.0.37
      Reverse proxy: Apache Web Server 2.2.12 Release 1.40.1

    Description

      After upgrading Jenkins from 1.551 to 1.552, the Manage Jenkins screen has the message "It appears that your reverse proxy set up is broken." The reverse proxy configuration has been correctly working before the upgrade.

      The test URI
      /jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test
      is redirecting to
      /jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/a%2Fb/
      which is giving a 404 error.

      In previous versions of Jenkins, it redirected to
      /jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test-for-reverse-proxy-setup
      which returned 200 OK.

      I am using Apache Web Server with mod_proxy_ajp as a reverse proxy in front of the Tomcat serving Jenkins.

      Attachments

        Activity

          danielbeck Daniel Beck added a comment - - edited

          Here's a great test case: Access Jenkins directly, not through the reverse proxy. If it works without this message showing up, your reverse proxy is broken.

          If you use Apache as reverse proxy, it needs to be at least 2.2.18 and set the option AllowEncodedSlashes NoDecode (earlier versions only have values On and Off, both of which are wrong); as well as nocanon in the ProxyPass directive.

          Both need to be set within the VirtualHost, as AllowEncodedSlashes isn't inherited.

          Example:

          <VirtualHost *:80>
                  AllowEncodedSlashes NoDecode
                  ServerName build.example.org
                  ProxyPass         /  http://localhost:8080/ nocanon
                  ProxyPassReverse  /  http://localhost:8080/
                  ProxyRequests     Off
          </VirtualHost>
          
          danielbeck Daniel Beck added a comment - - edited Here's a great test case: Access Jenkins directly, not through the reverse proxy. If it works without this message showing up, your reverse proxy is broken. If you use Apache as reverse proxy, it needs to be at least 2.2.18 and set the option AllowEncodedSlashes NoDecode (earlier versions only have values On and Off , both of which are wrong); as well as nocanon in the ProxyPass directive. Both need to be set within the VirtualHost , as AllowEncodedSlashes isn't inherited. Example: <VirtualHost *:80> AllowEncodedSlashes NoDecode ServerName build.example.org ProxyPass / http: //localhost:8080/ nocanon ProxyPassReverse / http: //localhost:8080/ ProxyRequests Off </VirtualHost>
          danielbeck Daniel Beck added a comment -

          Not a defect, valid Apache reverse proxy configuration posted in earlier comment.

          danielbeck Daniel Beck added a comment - Not a defect, valid Apache reverse proxy configuration posted in earlier comment.

          For nginx, the config change apparently is as follows: (plus this needs nginx 1.1.12 or newer)

          Bad config:

           
                          proxy_pass        http://127.0.0.1:9000/;
          

          Good config:

           
                          proxy_pass        http://127.0.0.1:9000;
          

          (Note the removed trailing slash.)

          This is documented behaviour in nginx, but not really obvious.

          zeha Christian Hofstaedtler added a comment - For nginx, the config change apparently is as follows: (plus this needs nginx 1.1.12 or newer) Bad config: proxy_pass http: //127.0.0.1:9000/; Good config: proxy_pass http: //127.0.0.1:9000; (Note the removed trailing slash.) This is documented behaviour in nginx, but not really obvious.

          Thanks for the update and sample configuration. The NoDecode value is not available in the Apache version in SLES11SP3, but I confirmed that it solves the problem if I use a newer version of Apache.

          tduong Townsend Duong added a comment - Thanks for the update and sample configuration. The NoDecode value is not available in the Apache version in SLES11SP3, but I confirmed that it solves the problem if I use a newer version of Apache.
          jpschewe jpschewe added a comment -

          I've got Apache 2.2.22 with the config below and I'm getting the error from Jenkins that my reverse proxy isn't setup properly. Accessing the instance directly does not show the error.

          ProxyPass         /jenkins/  http://localhost:8042/jenkins/ nocanon
          ProxyPassReverse  /jenkins/  http://localhost:8042/jenkins/
          ProxyRequests     Off
          AllowEncodedSlashes NoDecode
          
          # Local reverse proxy authorization override
          # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
          <Proxy http://localhost:8042/jenkins>
            Order deny,allow
            Allow from all
          </Proxy>
          
          jpschewe jpschewe added a comment - I've got Apache 2.2.22 with the config below and I'm getting the error from Jenkins that my reverse proxy isn't setup properly. Accessing the instance directly does not show the error. ProxyPass /jenkins/ http://localhost:8042/jenkins/ nocanon ProxyPassReverse /jenkins/ http://localhost:8042/jenkins/ ProxyRequests Off AllowEncodedSlashes NoDecode # Local reverse proxy authorization override # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) <Proxy http://localhost:8042/jenkins> Order deny,allow Allow from all </Proxy>

          People

            Unassigned Unassigned
            tduong Townsend Duong
            Votes:
            9 Vote for this issue
            Watchers:
            15 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: