Loading...

Type: Bug
Resolution: Not A Defect
Priority: Minor
Component/s: core
Labels:
None
Environment:

Hide
Windows Server 2012 R2 Datacenter 64-bit
Oracle Java 1.8.0_131 64-bit
Jenkins 2.46.2 installed as a .war file on Tomcat
Tomcat 8.5.14
IIS 8.5 Reverse Proxy
Chrome Version 58.0.3029.96 (64-bit)
Firefox Developer Edition 54.0a2 (2017-04-18) (32-bit)

Show
Windows Server 2012 R2 Datacenter 64-bit Oracle Java 1.8.0_131 64-bit Jenkins 2.46.2 installed as a .war file on Tomcat Tomcat 8.5.14 IIS 8.5 Reverse Proxy Chrome Version 58.0.3029.96 (64-bit) Firefox Developer Edition 54.0a2 (2017-04-18) (32-bit)

Similar Issues:

Show

Sorry, I'm not certain how to classify this problem. We're not sure if it's an incompatibility with IIS (bug), or just a documentation issue.

We're in the process of setting up a new Jenkins server behind an IIS reverse proxy on Windows Server 2012 R2 Datacenter 64-bit and we can't get rid of the "It appears that your reverse proxy set up is broken" message.

I'll preface this by saying that we have not yet seen any problems other than the error message, but we assume the error is there for a reason. We have not yet installed any plugins other than the maven release plugin plugin, and we've only done some rudimentary maven and pipeline jobs. We've also verified that a Windows slave seems to be working fine (tested using a simple pipeline job).

The "It appears that your reverse proxy set up is broken" message appears on the Jenkins "Manage Jenkins" page. Nothing else appears to be wrong. This is on a new Jenkins install with no pre-existing configuration.

We'd like help finding a working configuration for the IIS reverse proxy. We've set it up for many, many other java web applications on Tomcat without issues. Jenkins is the only one we're having this issue with, and we're not sure what it's complaining about.

If someone can help with a working configuration, we're happy to document it in the Jenkins wiki. There are no instructions for configuring an IIS reverse proxy that we could find.

Details:

Tomcat connector on port 8080.
IIS and Jenkins are on the same server.
We want to present an external URL of "https://our.server.name

We installed Jenkins as "ROOT.war" so that Jenkins is accessible from the localhost at "http://localhost:8080"

We configured the Jenkins Location/Jenkins URL in Jenkins' "Configure System" as "https://our.server.name/" (Jenkins insists on appending the trailing "/" when we save the configuration).

Here's our IIS web.config file:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <requestFiltering allowDoubleEscaping="true" />
        </security>
        <rewrite>
            <rules>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://localhost:8080/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
                        <set name="HTTP_X_FORWARDED_SCHEMA" value="https" />
                        <set name="HTTP_X_FORWARDED_PROTO" value="https" />
                    </serverVariables>
                </rule>
            </rules>
        </rewrite>        
    </system.webServer>
</configuration>

Here's the connector configuration Tomcat's server.xml:

<Connector port="8080" protocol="HTTP/1.1"
  connectionTimeout="20000"
  URIEncoding="UTF-8"
  redirectPort="8443"
  proxyName="our.server.name" scheme="https" proxyPort="443" />

We're authenticating against an AD server using Jenkins' LDAP configuration. That's working fine.

There is just one related warning in jenkins-stderr.2017-05-03.log:

03-May-2017 09:14:34.521 WARNING [Handling GET /administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https:/our.server.name/manage/ from 0:0:0:0:0:0:0:1 : http-nio-8080-exec-3] hudson.diagnosis.ReverseProxySetupMonitor.getTestForReverseProxySetup https://our.server.name/manage vs. https:

Here’s the contents of Tomcat's localhost_access_log.2017-05-03.txt around the reverse proxy test:

0:0:0:0:0:0:0:1 - - [03/May/2017:09:14:34 -0600] "GET /administrativeMonitor/jenkins.diagnostics.URICheckEncodingMonitor/checkURIEncoding?value=%E5%9F%B7%E4%BA%8B HTTP/1.1" 200 6
0:0:0:0:0:0:0:1 - - [03/May/2017:09:14:34 -0600] "POST /administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test HTTP/1.1" 302 -
0:0:0:0:0:0:0:1 - - [03/May/2017:09:14:34 -0600] "GET /static/82168ce8/images/16x16/error.png HTTP/1.1" 200 543
0:0:0:0:0:0:0:1 - - [03/May/2017:09:14:34 -0600] "GET /administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https:/our.server.name/manage/ HTTP/1.1" 404 1116

Note the 404 response on that last entry. Could that be an URL encoding issue (e.g. should the colon and forward slashes in the URL after "testForReverseProxySetup/" be encoded)? Anybody know how to fix that with IIS?

Details

Description

Attachments

Activity

People

Dates