Jenkins reports reverse proxy setup incorrect with Apache using virtual hosts with SNI

Question

I'm setting up a Jenkins server, to run under Tomcat behind Apache. I'm using virtual hosts with SSL using SNI so I can access it at https://jenkins.example.com, and serve something else on, say, http://www.example.com.

I've got it up and running, but when I click "Manage Jenkins", it tells me It appears your reverse proxy setup is broken.

Note that I'm using a self-signed SSL certificate, and jenkins.example.com is not the default virtual hosts.

The relevant apache config looks like this:

<VirtualHost *:80> ServerName jenkins.example.com Redirect / https://jenkins.example.com/ </VirtualHost> <VirtualHost *:443> ServerName jenkins.example.com SSLEngine on SSLCertificateFile /etc/ssl/certs/jenkins.example.com.crt SSLCertificateKeyFile /etc/ssl/private/jenkins.example.com.key <Location /> AuthType Digest AuthName "Jenkins" AuthUserFile "/etc/htpasswords" Require valid-user </Location> ProxyRequests Off ProxyPreserveHost On <Proxy http://localhost:8080*> Order deny,allow Allow from all </Proxy> ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ ProxyPassReverse / https://jenkins.example.com </VirtualHost> 

If I do:

curl --user "username:password" --digest -k https://jenkins.example.com/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test -L 

Then I see the output:

<div/> 

If I run wget with debug, then I see at that some point wget gets a pointer to http instead of https, not sure why that's happening or if it's related, but it does redirect properly:

---response begin--- HTTP/1.1 302 Moved Temporarily Date: Tue, 17 Jan 2012 19:47:16 GMT Server: Apache-Coyote/1.1 Location: http://jenkins.example.com/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test-for-reverse-proxy-setup Content-Length: 0 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/plain 

I'm running on Ubuntu 11.04, Apache 2.2.17, Tomcat 6.0.28, Jenkins 1.448.

Answer 1

The one issue that I see with your config is that:

ProxyPassReverse / https://jenkins.example.com 

Should be:

ProxyPassReverse / https://jenkins.example.com/ 

---

Seems like the service is sending http:// instead of https:// location headers (probably because your connection to its listener from Apache is unencrypted on the localhost listener), in which case you'll need to add:

ProxyPassReverse / http://jenkins.example.com/ 

---

So, what's probably occurring currently is the API call is failing because it gets an http:// address in the Location: header of the redirect (which is missed for un-translation in the ProxyPassReverse because it's not http).

It sends the request to that location and gets another redirect response, from your <VirtualHost *:80>. Their validity checker knows that ain't right and errors, while curl follows one more redirect and gets a valid response.

Add the ProxyPassReverse for http:// above and this should correct the issue, if I'm right.

Answer 2

If you use Apache as reverse proxy, it needs to be at least 2.2.18 and set the option AllowEncodedSlashes NoDecode (earlier versions only have values On and Off, both of which are wrong); as well as nocanon in the ProxyPass directive.

Both need to be set within the VirtualHost, as AllowEncodedSlashes isn't inherited.

<VirtualHost *:80> AllowEncodedSlashes NoDecode ServerName build.example.org ProxyPass / http://localhost:8080/ nocanon ProxyPassReverse / http://localhost:8080/ ProxyRequests Off </VirtualHost> 

Answer 3

via https://stackoverflow.com/a/33179008/923560:

Make sure the Jenkins URL configured in the System Configuration matches the URL you're using to access Jenkins.

To reach the System Configuration:

1. Go to your Jenkins page
2. Click Manage Jenkins
3. Click Configure System
4. Scroll to Jenkins Location and find Jenkins URL.

Ensure that port value matches with the port value set in the <arguments> section of the jenkins.xml file located in the Jenkins folder on your machine.