Why does Jenkins say my reverse proxy setup is broken?

Question

I installed Jenkins 2.32.2 on an Ubuntu 16.04 machine and configured Apache proxy as described on their wiki.

I changed these lines in /etc/default/jenkins:

HTTP_PORT=8380

JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=$HTTP_PORT --prefix=/jenkins"

With these, I can access Jenkins at http://myhost:8380/jenkins/

For the proxy, I created the file /etc/apache2/conf-available/jenkins.conf with this content:

ProxyPass         /jenkins  http://myhost:8380/jenkins nocanon
ProxyPassReverse  /jenkins  http://myhost:8380/jenkins
ProxyRequests     Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode

# Local reverse proxy authorization override
# Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
<Proxy http://myhost:8380/jenkins*>
  Order deny,allow
  Allow from all
</Proxy>

Then I enabled the configuration (with sudo a2enconf jenkins) and restarted Apache. Now I can access Jenkins at http://myhost/jenkins.

In principle it's OK, but in the "Manage Jenkins" page I get a message saying "It appears that your reverse proxy set up is broken." with a link to a wiki page with possible solutions.

One of the suggestions was to try this for diagnosis:

curl -iL -e http://myhost/jenkins/manage http://myhost/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test

This is the output:

HTTP/1.1 403 Forbidden
Date: Thu, 16 Feb 2017 07:01:00 GMT
Server: Jetty(9.2.z-SNAPSHOT)
X-Content-Type-Options: nosniff
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
X-Hudson: 1.395
X-Jenkins: 2.32.2
X-Jenkins-Session: 7b3e99ac
X-You-Are-Authenticated-As: anonymous
X-You-Are-In-Group: 
X-Required-Permission: hudson.model.Hudson.Read
X-Permission-Implied-By: hudson.security.Permission.GenericRead
X-Permission-Implied-By: hudson.model.Hudson.Administer
Content-Length: 973
Set-Cookie: JSESSIONID.34f83688=1rkbqf12ykw0w1clnm0l7cc9l6;Path=/jenkins;HttpOnly

<html><head><meta http-equiv='refresh' content='1;url=/jenkins/login?from=%2Fjenkins%2FadministrativeMonitor%2Fhudson.diagnosis.ReverseProxySetupMonitor%2Ftest'/><script>window.location.replace('/jenkins/login?from=%2Fjenkins%2FadministrativeMonitor%2Fhudson.diagnosis.ReverseProxySetupMonitor%2Ftest');</script></head><body style='background-color:white; color:white;'>


Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:

Permission you need to have (but didn't): hudson.model.Hudson.Read
 ... which is implied by: hudson.security.Permission.GenericRead
 ... which is implied by: hudson.model.Hudson.Administer
-->

</body></html>

Is that anonymous/403 a problem? In Jenkins, I get the error while being logged in.

I also checked "Jenkins Location / Jenkins URL" in settings, and it's OK: http://myhost/jenkins/

Answer 1

I had this problem.

You need to look at /var/log/jenkins/jenkins.log

In my case I had

WARNING h.d.ReverseProxySetupMonitor#getTestForReverseProxySetup: http://myhost/manage vs. https:%2F%2Fmyhost%2Fmanage

The trick is that both url should be the same. As can be seen, in my case, there was 2 problems:

the encoding of the slash, this has been sorted by adding nocanon at the end of ProxyPass.

ProxyPass / http://localhost:8083/ nocanon

the https became http, this has been sorted by adding the following line

RequestHeader set X-Forwarded-Proto https