12

I am running two services behind an Apache server: Jenkins (Port 8080) and SonarQube (Port 9000).

My apache config looks like this:

<VirtualHost *:80> ServerName server Redirect permanent / https://server.domain.com/ </VirtualHost> <VirtualHost *:80> ServerName server.domain.com Redirect permanent / https://server.domain.com/ </VirtualHost> <VirtualHost *:443> ServerName server.domain.com SSLEngine on SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key ProxyPass /jenkins http://localhost:8080/jenkins nocanon ProxyPassReverse /jenkins http://localhost:8080/jenkins ProxyPassReverse /jenkins http://server.domain.com/jenkins ProxyPassReverse /jenkins https://server.domain.com/jenkins ProxyPass /sonar http://localhost:9000/sonar nocanon ProxyPassReverse /sonar http://localhost:9000/sonar AllowEncodedSlashes NoDecode ProxyRequests Off ProxyPreserveHost On <Proxy http://localhost:8080/*> Order deny,allow Allow from all </Proxy> </VirtualHost>

Everything seems to be working fine, except that Jenkins is complaining with this message: It appears that your reverse proxy set up is broken.

When I run the ReverseProxySetupMonitor test provided by Jenkins, the error message indicates that something with the reverse proxy is not set up correctly, as is does not replace http with https:

$ curl -iLk -e https://server.domain.com/jenkins/manage https://server.domain.com/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test [...] 404 http://server.domain.com/jenkins/manage vs. https://server.domain.com/jenkins/manage [...]

This only appeared after I enabled SSL on the server (which is now using a self-signed certificate).

Question: How do I fix the reverse proxy setup so that Jenkins is happy? Bonus points for tips on how to improve the apache config file.

I already checked the following two related questions:

Improve this question

3 Answers 3

Reset to default
12

This page on wiki Jenkins mentioned that as per July 2014, the recommended configuration for Jenkins reverse proxy. The missing parameter is RequestHeader set X-Forwarded-Proto "https" and RequestHeader set X-Forwarded-Port "443"

So the configuration became

<VirtualHost *:443> SSLEngine on SSLCertificateFile /etc/ssl/certs/cert.pem ServerAdmin webmaster@localhost ProxyRequests Off ProxyPreserveHost On AllowEncodedSlashes NoDecode <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://localhost:8080/ nocanon ProxyPassReverse / http://localhost:8080/ ProxyPassReverse / http://www.example.com/ RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" </VirtualHost>
Improve this answer
2
  • 2
    Awesome, that worked perfectly! I also had to do sudo a2enmod headers, otherwise I would get Invalid command 'RequestHeader' Commented Dec 19, 2014 at 19:16
  • Can you explain why are you using two ProxyPassReverse directives for the same path (/) ? Commented Mar 3, 2017 at 8:37
1

Windows Apache Front-end setup for Jenkins

The main differences here are:

  • How to set up a temporary certificate
  • stopping apache winging about not having any ssl cache

My setup:

  • Install was to d:\ (not c:\ - adapt this to your needs)

  • Jenkins is on port 8080

  • Unzip Apache httpd-2.4.18-win64-VC14.zip (from http://www.apachelounge.com/download/) to d:\ .

  • Install OpenSSL Win64OpenSSL_Light-1_0_2f.exe (http://slproweb.com/products/Win32OpenSSL.html) to d:\OpenSSL-Win64

  • Create the ssl certificate:

    • cd to the OpenSSL bin directory and run the magic:

       pushd d:\OpenSSL-Win64\bin set OPENSSL_CONF=openssl.cfg openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt

  • Copy the server.* files from d:\OpenSSL-Win64\bin to D:\Apache24\conf

  • Edit d:\Apache24\conf\httpd.conf :

    • Search and replace "c:/" with "d:/"

    • Change after the line "Listen 80", adding "Listen 443":

      Listen 80 Listen 443

    • Uncomment these lines:

      LoadModule headers_module modules/mod_headers.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so LoadModule vhost_alias_module modules/mod_vhost_alias.so

    • Update "#ServerName www.example.com:80" to:

      ServerName myserver.mydomain:80

    • Add this at the end:

      <IfModule socache_shmcb_module> SSLSessionCache "shmcb:logs/ssl_scache(512000)" </IfModule> <VirtualHost *:80> ServerName myserver Redirect permanent / https://myserver.mydomain/ </VirtualHost> <VirtualHost *:80> ServerName myserver.mydomain Redirect permanent / https://myserver.mydomain/ </VirtualHost> <VirtualHost *:443> SSLEngine on SSLCertificateFile conf/server.crt SSLCertificateKeyFile conf/server.key ServerAdmin me@mydomain ProxyRequests Off ProxyPreserveHost On AllowEncodedSlashes NoDecode <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://localhost:8080/ nocanon ProxyPassReverse / http://localhost:8080/ ProxyPassReverse / http://myserver.mydomain/ RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" </VirtualHost>

I did not stop Jenkins listening on port 8080, so I can still connect if apache fails. My objective in using https is to hide parameters.

Improve this answer
0

I created a Docker container to run Apache2 as a reverse proxy for Sonarqube at the same host.

Follow the Source Code. https://github.com/clebermasters/sonarqube-https-apache2

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.