Jenkins does not redirect to HTTPS

Question

The problem

I am using Jenkins over HTTPS/SSL (the details of setup below). I can navigate to https://jenkins.mydomain.com:8088 without any problems. All links are correct with https:// in front of them. I can properly navigate through almost all Jenkins pages.

Except when Jenkins tries to redirect (e.g after login, after clicking Build, etc). Whenever Jenkins tries to redirect to any page, it sends me to http:// page (not httpS://)

What I've tried

• I have tried setting setting Jenkins URL in global configuration. It works fine for everything, except that it always redirects to http://, despite the URL saying httpS://
• I have tried following instructions here regarding modifying jenkins.xml with port configuration, however as my setup is not using Jenkins Windows service install, I simply don't have jenkins.xml Is there a different place I can specify the parameters to Jenkins?
• I have tried understanding whatever "mod_proxy with HTTPS" means, but I don't have any virtual hosts configuration. And besides, my Tomcat installation is not the one that handles SSL. The issue seems to be only in Jenkins's redirect mechanism, which is ignoring Jenkins URL protocol part from Global Configuration.

The Jenkins setup

• Apache Tomcat running as Windows service
  1. Jenkins.war renamed to ROOT.war is placed in Tomcat's webapps folder
  2. Executing through bin\tomcat6.exe //RS//Instance_Name
  3. Configured through Tomcat's Windows "Monitor Service" tool
• There are multiple instances configured this way on this machine, differentiated by different Tomcat folders and different Tomcat ports under respective conf\server.xml
• I've inherited this setup. Don't know why they didn't use the native install package with Windows service. There are multiple instances of Jenkins (through multiple instances of Tomcat service) on this computer. Trying to change the installation type for all those instances will incur unacceptable amount of downtime.
• Jenkins' port 8088, cannot use 443 for SSL as there are multiple instances running and they can't all have 443 as the only way Instances are differentiated is by port.

The SSL setup

• We have a global SSL cert (*.mydomain.com) that is hosted on a load balancer hardware. (I don't have access to actual file)
• There is no SSL on actual Windows server hosting Jenkins.
• The DNS for jenkins.mydomain.com resolves to a virtual IP on the load-balancer, which then forwards to traffic to actual Windows server hosting Jenkins.
• There is nothing wrong with this setup, it works fine for all other sites. This SSL setup also works fine for our Jenkins instance.

Answer 1

You may need to restart the Jenkins server for the global configuration change to take effect. Jenkins CI Cookbook says (highlighting mine):

Jenkins uses Xstream (http://x-stream.github.io/) to persist its configuration into a readable XML format. The XML files in the workspace are configuration files for plugins, tasks, and an assortment of other persisted information. config.xml is the main configuration file. Security settings and global configuration are set here and reflect changes made through the GUI. Plugins use the same structure, and the XML values correspond to member values in underlying plugin classes. The GUI itself is created from XML through the Jelly framework (http://commons.apache.org/jelly/).

By restarting the server, you should be certain that any configuration changes are picked up during the initialization phase.

In addition, to make sure that no one ever accesses the Jenkins server over HTTP (e.g., stale links, typing URL manually in the browser, etc.), you can have the loadbalancer rewrite the http:// URLs into https:// URLs.

---

Edit: an earlier version of this answer incorrectly suggested the following:

Tomcat rewrite the http:// URLs to https:// URLs by using urlrewritefilter as suggested in this answer

which cannot be done because the SSL certificate resides on the loadbalancer which terminates the SSL connection, which means it speaks HTTP to Tomcat, so Tomcat will never see an https:// URL, so this suggestion would have caused an infinite redirect loop. (Keeping this around because otherwise the comments below won't make sense).

Answer 2

I suggest peeking around the server.xml and finding the Connector and adding secure="true" if you are doing an HTTP proxy scheme. Redirect ports may also be involved.

<Connector secure="true" port="8088" protocol="HTTP/1.1" URIEncoding="UTF-8"
           connectionTimeout="20000"
            />

For reference, We run Jenkins behind 2 Apache proxies, one external and one internal:

The relevant parts of our external vhost (jenkins.host.com):

    RequestHeader unset Authorization
    RequestHeader set Authorization "Basic (encrypted password)"
    ProxyPass / ajp://dev.internal:9101/
    ProxyPassReverse / ajp://dev.internal:9101/

The relevant parts of tomcat's server.xml:

<Connector port="9001" protocol="HTTP/1.1" URIEncoding="UTF-8"
           connectionTimeout="20000"
            />

<Connector port="9101" protocol="AJP/1.3" URIEncoding="UTF-8"/>

<Host name="dev.internal" appBase="webapps"
        unpackWARs="true" autoDeploy="true">
       <Alias>jenkins.host.com</Alias>

    <!-- SingleSignOn valve, share authentication between web applications
         Documentation at: /docs/config/valve.html -->
    <!--
    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
    -->

    <!-- Access log processes all example.
         Documentation at: /docs/config/valve.html
         Note: The pattern used is equivalent to using pattern="common" -->
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
           prefix="dev.internal_access_log." suffix=".txt" rotatable="false"
           pattern="%h %l %u %t &quot;%r&quot; %s %b" />

  </Host>