Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-39234

User identified as Tomcat's unix user id when using Kerberos SSO behind reverse proxy

    Details

    • Similar Issues:

      Description

      Jenkins, Active Directory connectivity, and Kerberos setup and working well (including Single Sign-On through Kerberos) when accessing Jenkins directly (http://servername.domain:8080).

      When accessing Jenkins through a reverse proxy (Nginx) running on the same host (performs SSL offloading) the user is identified as the Unix user that runs the Tomcat process instead of the actual user. In our case the Jenkins Tomcat runs as Unix user id 'tomcat', thus all logged in users are identified as 'tomcat'.

      Interestingly this happens only when accessing Jenkins through the reverse proxy.

      With Kerberos SSO plugin disabled, login works well when accessing through the reverse proxy.

      I'm attaching the Nginx configuration for reference.

        Attachments

          Activity

          Hide
          olivergondza Oliver Gondža added a comment -

          Can this be caused by turning on "Allow Localhost" option so it consider the request coming from nginx to be a local client? Presumably, this feature is meant for administrators to bypass the authentication by gaining access to the server. If it is not, can you sniff the wire log of such request between client and the proxy and between proxy and Jenkins and compare the difference? I suspect nginx is modifying the headers or not letting them through.

          Show
          olivergondza Oliver Gondža added a comment - Can this be caused by turning on "Allow Localhost" option so it consider the request coming from nginx to be a local client? Presumably, this feature is meant for administrators to bypass the authentication by gaining access to the server. If it is not, can you sniff the wire log of such request between client and the proxy and between proxy and Jenkins and compare the difference? I suspect nginx is modifying the headers or not letting them through.
          Hide
          dhs Dirk Heinrichs added a comment - - edited

          Just ran into this and got it solved by using all the "proxy_set_header" directives from this post.

          Ended up using this (quite simple) config snippet:

             location / {
              proxy_pass_request_headers on;
              proxy_set_header   X-Real-IP $remote_addr;
              proxy_set_header   Host      $http_host;
              proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header   X-Forwarded-Host $http_host;
              proxy_set_header   X-Forwarded-Server $host;
              proxy_pass         http://127.0.0.1:8080;
            }

          My original (non-working) version didn't set the "X-Forwarded-*" headers.

          Show
          dhs Dirk Heinrichs added a comment - - edited Just ran into this and got it solved by using all the "proxy_set_header" directives from this post . Ended up using this (quite simple) config snippet: location / { proxy_pass_request_headers on; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Server $host; proxy_pass http: //127.0.0.1:8080; } My original (non-working) version didn't set the "X-Forwarded-*" headers.

            People

            • Assignee:
              t_westling Tomas Westling
              Reporter:
              stephan Stephan Austermühle
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: