6

I'm setting up a Jenkins server, to run under Tomcat behind Apache. I'm using virtual hosts with SSL using SNI so I can access it at https://jenkins.example.com, and serve something else on, say, http://www.example.com.

I've got it up and running, but when I click "Manage Jenkins", it tells me It appears your reverse proxy setup is broken.

Note that I'm using a self-signed SSL certificate, and jenkins.example.com is not the default virtual hosts.

The relevant apache config looks like this: 

<VirtualHost *:80>
        ServerName jenkins.example.com
        Redirect / https://jenkins.example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName jenkins.example.com

  SSLEngine on

  SSLCertificateFile    /etc/ssl/certs/jenkins.example.com.crt
  SSLCertificateKeyFile /etc/ssl/private/jenkins.example.com.key

  <Location />
     AuthType Digest
     AuthName "Jenkins"
     AuthUserFile "/etc/htpasswords"
     Require valid-user
   </Location>

   ProxyRequests     Off
   ProxyPreserveHost On

   <Proxy http://localhost:8080*>
     Order deny,allow
       Allow from all
   </Proxy>

   ProxyPass         /  http://localhost:8080/
   ProxyPassReverse  /  http://localhost:8080/
   ProxyPassReverse  /  https://jenkins.example.com

</VirtualHost>

If I do:

curl --user "username:password" --digest -k https://jenkins.example.com/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test -L

Then I see the output:

<div/>

If I run wget with debug, then I see at that some point wget gets a pointer to http instead of https, not sure why that's happening or if it's related, but it does redirect properly:

---response begin---
HTTP/1.1 302 Moved Temporarily
Date: Tue, 17 Jan 2012 19:47:16 GMT
Server: Apache-Coyote/1.1
Location: http://jenkins.example.com/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test-for-reverse-proxy-setup
Content-Length: 0
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/plain

I'm running on Ubuntu 11.04, Apache 2.2.17, Tomcat 6.0.28, Jenkins 1.448.

Lorin Hochstein
  • 4,868
  • 15
  • 54
  • 72

3 Answers3

6

The one issue that I see with your config is that:

ProxyPassReverse  /  https://jenkins.example.com

Should be:

ProxyPassReverse  /  https://jenkins.example.com/

Seems like the service is sending http:// instead of https:// location headers (probably because your connection to its listener from Apache is unencrypted on the localhost listener), in which case you'll need to add:

ProxyPassReverse  /  http://jenkins.example.com/

So, what's probably occurring currently is the API call is failing because it gets an http:// address in the Location: header of the redirect (which is missed for un-translation in the ProxyPassReverse because it's not http).

It sends the request to that location and gets another redirect response, from your <VirtualHost *:80>. Their validity checker knows that ain't right and errors, while curl follows one more redirect and gets a valid response.

Add the ProxyPassReverse for http:// above and this should correct the issue, if I'm right.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • 1
    Even after following all these suggestions, I still got the *It appears your reverse proxy setup is broken* message. The final step that was missing was adding to the `` part a `RequestHeader set X-Forwarded-Proto "http"` ... and to the `` part a `RequestHeader set X-Forwarded-Proto "https"`. Now, finally, the *broken* message is gone. – Abdull Feb 17 '16 at 18:52
2

If you use Apache as reverse proxy, it needs to be at least 2.2.18 and set the option AllowEncodedSlashes NoDecode (earlier versions only have values On and Off, both of which are wrong); as well as nocanon in the ProxyPass directive.

Both need to be set within the VirtualHost, as AllowEncodedSlashes isn't inherited.

<VirtualHost *:80>
        AllowEncodedSlashes NoDecode
        ServerName build.example.org
        ProxyPass         /  http://localhost:8080/ nocanon
        ProxyPassReverse  /  http://localhost:8080/
        ProxyRequests     Off
</VirtualHost>
Anil
  • 262
  • 2
  • 4
  • 15
0

via https://stackoverflow.com/a/33179008/923560:

Make sure the Jenkins URL configured in the System Configuration matches the URL you're using to access Jenkins.

To reach the System Configuration:

  1. Go to your Jenkins page
  2. Click Manage Jenkins
  3. Click Configure System
  4. Scroll to Jenkins Location and find Jenkins URL.

Ensure that port value matches with the port value set in the <arguments> section of the jenkins.xml file located in the Jenkins folder on your machine.

Community
  • 1
Abdull
  • 159
  • 1
  • 13