Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-21989

ReverseProxySetupMonitor broken in Jenkins release 1.552

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Not A Defect
    • Component/s: core
    • Labels:
      None
    • Environment:
      OS: SuSE Linux Enterprise Server 11 SP3 x86_64
      Apache Tomcat 6.0.37
      Reverse proxy: Apache Web Server 2.2.12 Release 1.40.1
    • Similar Issues:

      Description

      After upgrading Jenkins from 1.551 to 1.552, the Manage Jenkins screen has the message "It appears that your reverse proxy set up is broken." The reverse proxy configuration has been correctly working before the upgrade.

      The test URI
      /jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test
      is redirecting to
      /jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/a%2Fb/
      which is giving a 404 error.

      In previous versions of Jenkins, it redirected to
      /jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test-for-reverse-proxy-setup
      which returned 200 OK.

      I am using Apache Web Server with mod_proxy_ajp as a reverse proxy in front of the Tomcat serving Jenkins.

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment - - edited

          Here's a great test case: Access Jenkins directly, not through the reverse proxy. If it works without this message showing up, your reverse proxy is broken.

          If you use Apache as reverse proxy, it needs to be at least 2.2.18 and set the option AllowEncodedSlashes NoDecode (earlier versions only have values On and Off, both of which are wrong); as well as nocanon in the ProxyPass directive.

          Both need to be set within the VirtualHost, as AllowEncodedSlashes isn't inherited.

          Example:

          <VirtualHost *:80>
                  AllowEncodedSlashes NoDecode
                  ServerName build.example.org
                  ProxyPass         /  http://localhost:8080/ nocanon
                  ProxyPassReverse  /  http://localhost:8080/
                  ProxyRequests     Off
          </VirtualHost>
          
          Show
          danielbeck Daniel Beck added a comment - - edited Here's a great test case: Access Jenkins directly, not through the reverse proxy. If it works without this message showing up, your reverse proxy is broken. If you use Apache as reverse proxy, it needs to be at least 2.2.18 and set the option AllowEncodedSlashes NoDecode (earlier versions only have values On and Off , both of which are wrong); as well as nocanon in the ProxyPass directive. Both need to be set within the VirtualHost , as AllowEncodedSlashes isn't inherited. Example: <VirtualHost *:80> AllowEncodedSlashes NoDecode ServerName build.example.org ProxyPass / http: //localhost:8080/ nocanon ProxyPassReverse / http: //localhost:8080/ ProxyRequests Off </VirtualHost>
          Hide
          danielbeck Daniel Beck added a comment -

          Not a defect, valid Apache reverse proxy configuration posted in earlier comment.

          Show
          danielbeck Daniel Beck added a comment - Not a defect, valid Apache reverse proxy configuration posted in earlier comment.
          Hide
          zeha Christian Hofstaedtler added a comment -

          For nginx, the config change apparently is as follows: (plus this needs nginx 1.1.12 or newer)

          Bad config:

           
                          proxy_pass        http://127.0.0.1:9000/;
          

          Good config:

           
                          proxy_pass        http://127.0.0.1:9000;
          

          (Note the removed trailing slash.)

          This is documented behaviour in nginx, but not really obvious.

          Show
          zeha Christian Hofstaedtler added a comment - For nginx, the config change apparently is as follows: (plus this needs nginx 1.1.12 or newer) Bad config: proxy_pass http: //127.0.0.1:9000/; Good config: proxy_pass http: //127.0.0.1:9000; (Note the removed trailing slash.) This is documented behaviour in nginx, but not really obvious.
          Hide
          tduong Townsend Duong added a comment -

          Thanks for the update and sample configuration. The NoDecode value is not available in the Apache version in SLES11SP3, but I confirmed that it solves the problem if I use a newer version of Apache.

          Show
          tduong Townsend Duong added a comment - Thanks for the update and sample configuration. The NoDecode value is not available in the Apache version in SLES11SP3, but I confirmed that it solves the problem if I use a newer version of Apache.
          Hide
          jpschewe jpschewe added a comment -

          I've got Apache 2.2.22 with the config below and I'm getting the error from Jenkins that my reverse proxy isn't setup properly. Accessing the instance directly does not show the error.

          ProxyPass         /jenkins/  http://localhost:8042/jenkins/ nocanon
          ProxyPassReverse  /jenkins/  http://localhost:8042/jenkins/
          ProxyRequests     Off
          AllowEncodedSlashes NoDecode
          
          # Local reverse proxy authorization override
          # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu)
          <Proxy http://localhost:8042/jenkins>
            Order deny,allow
            Allow from all
          </Proxy>
          
          Show
          jpschewe jpschewe added a comment - I've got Apache 2.2.22 with the config below and I'm getting the error from Jenkins that my reverse proxy isn't setup properly. Accessing the instance directly does not show the error. ProxyPass /jenkins/ http://localhost:8042/jenkins/ nocanon ProxyPassReverse /jenkins/ http://localhost:8042/jenkins/ ProxyRequests Off AllowEncodedSlashes NoDecode # Local reverse proxy authorization override # Most unix distribution deny proxy by default (ie /etc/apache2/mods-enabled/proxy.conf in Ubuntu) <Proxy http://localhost:8042/jenkins> Order deny,allow Allow from all </Proxy>

            People

            • Assignee:
              Unassigned
              Reporter:
              tduong Townsend Duong
            • Votes:
              9 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: