Why does Jenkins complain that my reverse proxy setup is broken?
Solution 1
It turns out everything works fine even though the annoying message persistently appears. I think it is a minor bug of the version.
Solution 2
I was faced with this issue with Jenkins as a Windows Service Package.
According to their wiki:
Make sure the Jenkins URL configured in the System Configuration matches the URL you're using to access Jenkins.
To reach the System Configuration:
- Go to your Jenkins page
- Click Manage Jenkins
- Click Configure System
- Scroll to Jenkins Location and find Jenkins URL.
Ensure that port value matches with the port value set in the <arguments> section of the jenkins.xml file located in the Jenkins folder on your machine.
Solution 3
For me, the fix was to add:
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
This made it stop complaining.
Solution 4
Jenkins has proactive monitoring to make sure forward and reverse proxy is configured correctly. In version 1.552, these tests were improved so that incorrect proxy setups that were previously not flagged as broken are now detected. Starting with version 1.572, even Jenkins instances that do not rely on reverse proxy will display this warning.
Fixing a broken reverse proxy configuration is highly dependent on your web server and web application container, which is why there are so many other answers posted to your question. The Jenkins Wiki article on this topic, "Jenkins says my reverse proxy setup is broken", describes several ways to fix this in the comments.
From the above article:
For a reverse proxy to work correctly, it needs to rewrite both the request and the response.
But correct reverse proxying also involves one of two options, either:
- rewriting the response; or
- setting the X-Forwarded-Host (and perhaps X-Forwarded-Port) header on the forwarded request.
In my case, it was actually a problem with the first option, where my response rewriting was not properly encoding slashes. If you are using Apache HTTPD with Tomcat, you need to add support for encoded slashes to both servers, not just Apache HTTPD.
These are the instructions for resolving this problem in my specific case: Jenkins 2.1.41 on an Amazon Linux EC2 instance, with Apache 2.4, Tomcat 8.5 and Tomcat Connector.
In /etc/httpd/conf.d/ssl.conf add the following line for your Jenkins Host or VirtualHost:
AllowEncodedSlashes NoDecode
Add the following line to /usr/share/tomcat8/conf/catalina.properties:
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
Restart both services:
service httpd restart
service tomcat8 restart
Refresh your Manage Jenkins page. The warning message will be gone.
An example of implementing the second option in Apache HTTPD:
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
and for NGINX:
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Port 443;
Solution 5
For nginx, this also helped me:
proxy_redirect http://localhost:8080 https://your.ssl.domain.name
Don't include any trailing slashes to the above urls, and also not to the proxy_pass url.
Kevin
Updated on April 28, 2020Comments
-
Kevin about 4 years
I have no idea why after Jenkins is updated to version 1.591 (Ubuntu Server 12.04), the originally correctly set up reverse proxy now becomes broken. My current setting is exactly the same as said in Jenkins wiki:
ProxyPass /jenkins http://localhost:8081/jenkins nocanon ProxyPassReverse /jenkins http://localhost:8081/jenkins ProxyPreserveHost On ProxyRequests Off AllowEncodedSlashes NoDecode <Proxy http://localhost:8081/jenkins*> Order deny,allow Allow from all </Proxy>also
--prefix=/jenkinshas been added into/etc/default/jenkinsfileIs that a bug in Jenkins?