Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53748

SAML plugin skips Jenkins Proxy Configuration

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: saml-plugin
    • Labels:
      None
    • Environment:
      Jenkins LTS 2.121.x
      saml:1.0.7
    • Similar Issues:
    • Released As:
      saml-1.1.0

      Description

      1

      Using a fake proxy like 999.999.999.999:8080 for Running Jenkins Behind a Proxy Configuration, and then testing a URL (https://federation.basf.com/nidp/saml2/metadata) and results are expected, the URL is not reachable.

      2

      What is not expected is that for SAML plugin configuration > Idp Metadata Test URL, it succeeded to connect. As result, we can determinate that the saml plugin is skipping the proxy configuration.

      3

      As a workaround, I tried to configuring proxy by JVM paarmeters but I got the same results as point 2, meaning that with the fake proxy the Test connection is sucessfull

      $> ps aux | grep jenkins
      carlosrodlop      1294   0.0  0.0  2434840    772 s002  S+    1:33PM   0:00.00 grep --color=auto jenkins
      carlosrodlop      1217   0.0 10.1  9777568 1694448 s001  S+    1:31PM   0:46.00 /usr/bin/java -Djenkins.model.Jenkins.slaveAgentPort=21942 -Djenkins.install.runSetupWizard=false -Djenkins.model.Jenkins.logStartupPerformance=true -Dhudson.TcpSlaveAgentListener.hostName=oss.example.crl -Dhttp.proxyHost=999.999.999.999 -Dhttp.proxyPort=8080 -Djava.security.egd=file:/dev/./urandom -Xdebug -Xrunjdwp:transport=dt_socket,suspend=n,server=y,address=0.0.0.0:8194 -XX:MaxPermSize=512m -Xms256m -Dhudson.DNSMultiCast.disabled=true -jar /Users/carlosrodlop/Support/labs/jenkins-home-oss/jenkins.war --httpPort=8184 --httpListenAddress=0.0.0.0
      carlosrodlop      1064   0.0  0.0  2463080   1388 s001  S+    1:31PM   0:00.03 /bin/bash /Users/carlosrodlop/code/github/carlosrodlop/support-shinobi-tools/bin/cbsupport-jenkins oss 2.138.1
      

        Attachments

          Issue Links

            Activity

            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment -

            I strongly recommend to not have a proxy between Jenkins and the Idp, to avoid issues with certificates, Man-in-the-middle, caches, and other kind of potential issues. You have to keep in mind that connection is an authentication connection type, it is not a web page, put something in the middle decrease the security and make thinks complex where should be as simplex as possible.

            As workaround you can configure the java proxy settings https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html .
            Not long time ago (I think that was Jesse) I have a conversation about which would be the right setting on the plugins proxy configuration or with the JVM properties. The JVM properties win because you do not have to make anything on code. However I am going to implemented support to the plugins proxy configuration in the next release. There is no ETA for this release 2-4 weeks (or more it depends of my spare time)

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - I strongly recommend to not have a proxy between Jenkins and the Idp, to avoid issues with certificates, Man-in-the-middle, caches, and other kind of potential issues. You have to keep in mind that connection is an authentication connection type, it is not a web page, put something in the middle decrease the security and make thinks complex where should be as simplex as possible. As workaround you can configure the java proxy settings https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html . Not long time ago (I think that was Jesse) I have a conversation about which would be the right setting on the plugins proxy configuration or with the JVM properties. The JVM properties win because you do not have to make anything on code. However I am going to implemented support to the plugins proxy configuration in the next release. There is no ETA for this release 2-4 weeks (or more it depends of my spare time)
            Hide
            carlosrodlop Carlos Rodríguez López added a comment -

            Ivan Fernandez Calvo I forgot to mention that I tried that workaround and it didn't work either. I have included it as a new point (3) in the issue description.

            Many thanks for looking into this.

            Show
            carlosrodlop Carlos Rodríguez López added a comment - Ivan Fernandez Calvo I forgot to mention that I tried that workaround and it didn't work either. I have included it as a new point (3) in the issue description. Many thanks for looking into this.
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited

            The `-Dhttp.proxyHost` is not used on https connections you have to set `-Dhttps.proxyHost` it is not he same

            2.2) HTTPS
            The https (http over SSL) protocol handler has its own set of properties:
            
            https.proxyHost
            https.proxyPort
            As you probably guessed these work in the exact same manner as their http counterparts, so we won't go into much detail except to mention that the default port number, this time, is 443 and that for the "non proxy hosts" list, the HTTPS protocol handler will use the same as the http handler (i.e. http.nonProxyHosts).
            
            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited The `-Dhttp.proxyHost` is not used on https connections you have to set `-Dhttps.proxyHost` it is not he same 2.2) HTTPS The https (http over SSL) protocol handler has its own set of properties: https.proxyHost https.proxyPort As you probably guessed these work in the exact same manner as their http counterparts, so we won't go into much detail except to mention that the default port number, this time, is 443 and that for the "non proxy hosts" list, the HTTPS protocol handler will use the same as the http handler (i.e. http.nonProxyHosts).
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited

            The current PR should resolve the issue, you can use the snapshot to tested it, I will take some days to test it or make a unit test.

             

            https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fsaml-plugin/detail/PR-53/2/artifacts

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited The current PR should resolve the issue, you can use the snapshot to tested it, I will take some days to test it or make a unit test.   https://ci.jenkins.io/blue/organizations/jenkins/Plugins%2Fsaml-plugin/detail/PR-53/2/artifacts
            Hide
            carlosrodlop Carlos Rodríguez López added a comment -

            Using https.proxyHost and https.proxyPort didn't change the behavior. I don't understand why?

            $> ps aux | grep jenkins
            carlosrodlop      2618   0.1  0.0  2434840    772 s002  S+    2:05PM   0:00.00 grep --color=auto jenkins
            carlosrodlop      2508   0.1 10.2  9780244 1713264 s001  S+    1:50PM   1:06.92 /usr/bin/java -Djenkins.model.Jenkins.slaveAgentPort=33033 -Djenkins.install.runSetupWizard=false -Djenkins.model.Jenkins.logStartupPerformance=true -Dhudson.TcpSlaveAgentListener.hostName=oss.example.crl -Dhttps.proxyHost=999.999.999.999 -Dhttps.proxyPort=8080 -Djava.security.egd=file:/dev/./urandom -Xdebug -Xrunjdwp:transport=dt_socket,suspend=n,server=y,address=0.0.0.0:8194 -XX:MaxPermSize=512m -Xms256m -Dhudson.DNSMultiCast.disabled=true -jar /Users/carlosrodlop/Support/labs/jenkins-home-oss/jenkins.war --httpPort=8184 --httpListenAddress=0.0.0.0
            carlosrodlop      2370   0.0  0.0  2454888    984 s001  S+    1:50PM   0:00.02 /bin/bash /Users/carlosrodlop/code/github/carlosrodlop/support-shinobi-tools/bin/cbsupport-jenkins oss 2.138.1
            
            Show
            carlosrodlop Carlos Rodríguez López added a comment - Using https.proxyHost and https.proxyPort didn't change the behavior. I don't understand why? $> ps aux | grep jenkins carlosrodlop 2618 0.1 0.0 2434840 772 s002 S+ 2:05PM 0:00.00 grep --color=auto jenkins carlosrodlop 2508 0.1 10.2 9780244 1713264 s001 S+ 1:50PM 1:06.92 /usr/bin/java -Djenkins.model.Jenkins.slaveAgentPort=33033 -Djenkins.install.runSetupWizard= false -Djenkins.model.Jenkins.logStartupPerformance= true -Dhudson.TcpSlaveAgentListener.hostName=oss.example.crl -Dhttps.proxyHost=999.999.999.999 -Dhttps.proxyPort=8080 -Djava.security.egd=file:/dev/./urandom -Xdebug -Xrunjdwp:transport=dt_socket,suspend=n,server=y,address=0.0.0.0:8194 -XX:MaxPermSize=512m -Xms256m -Dhudson.DNSMultiCast.disabled= true -jar /Users/carlosrodlop/Support/labs/jenkins-home-oss/jenkins.war --httpPort=8184 --httpListenAddress=0.0.0.0 carlosrodlop 2370 0.0 0.0 2454888 984 s001 S+ 1:50PM 0:00.02 /bin/bash /Users/carlosrodlop/code/github/carlosrodlop/support-shinobi-tools/bin/cbsupport-jenkins oss 2.138.1
            Hide
            ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited

            I dunno if it is related but `999.999.999.999` is not a valid IP, I mean, the values of each coordinate should be between 0-255, for C type networks it is common to use 192.168.X.X or 172.20.X.X

            https://en.wikipedia.org/wiki/IP_address

            Show
            ifernandezcalvo Ivan Fernandez Calvo added a comment - - edited I dunno if it is related but `999.999.999.999` is not a valid IP, I mean, the values of each coordinate should be between 0-255, for C type networks it is common to use 192.168.X.X or 172.20.X.X https://en.wikipedia.org/wiki/IP_address
            Hide
            carlosrodlop Carlos Rodríguez López added a comment -

            Thanks Ivan Fernandez Calvo!!!!

            I have used this test proxy on localhost for validation. Configuring Jenkins Proxy as 127.0.0.1: 3128

            root@d60683407a97:/# tail /var/log/squid3/access.log
            1538503645.778 5422 172.17.0.1 TCP_MISS/200 22391 CONNECT federation.basf.com:443 - HIER_DIRECT/141.6.3.178 -
            1538503662.775 5408 172.17.0.1 TCP_MISS/200 22391 CONNECT federation.basf.com:443 - HIER_DIRECT/141.6.3.178 -
            

            Note that running Jenkins as

            501 10306 10168   0  8:22PM ttys002    0:27.06 /usr/bin/java -Djenkins.model.Jenkins.slaveAgentPort=24438 -Djenkins.install.runSetupWizard=false -Djenkins.model.Jenkins.logStartupPerformance=true -Dhudson.TcpSlaveAgentListener.hostName=oss.example.crl -Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=3128 -Djava.security.egd=file:/dev/./urandom -Xdebug -Xrunjdwp:transport=dt_socket,suspend=n,server=y,address=0.0.0.0:8194 -Xms256m -Dhudson.DNSMultiCast.disabled=true -jar /Users/carlosrodlop/Support/labs/jenkins-home-oss/jenkins.war --httpPort=8184 --httpListenAddress=0.0.0.0
            

            It is also working as expected, so you were right too by using a mock proxy out the range `999.999.999.999`

            Show
            carlosrodlop Carlos Rodríguez López added a comment - Thanks  Ivan Fernandez Calvo !!!! I have used this test proxy on localhost for validation. Configuring Jenkins Proxy as 127.0.0.1: 3128 root@d60683407a97:/# tail / var /log/squid3/access.log 1538503645.778 5422 172.17.0.1 TCP_MISS/200 22391 CONNECT federation.basf.com:443 - HIER_DIRECT/141.6.3.178 - 1538503662.775 5408 172.17.0.1 TCP_MISS/200 22391 CONNECT federation.basf.com:443 - HIER_DIRECT/141.6.3.178 - Note that running Jenkins as 501 10306 10168 0 8:22PM ttys002 0:27.06 /usr/bin/java -Djenkins.model.Jenkins.slaveAgentPort=24438 -Djenkins.install.runSetupWizard= false -Djenkins.model.Jenkins.logStartupPerformance= true -Dhudson.TcpSlaveAgentListener.hostName=oss.example.crl -Dhttps.proxyHost=127.0.0.1 -Dhttps.proxyPort=3128 -Djava.security.egd=file:/dev/./urandom -Xdebug -Xrunjdwp:transport=dt_socket,suspend=n,server=y,address=0.0.0.0:8194 -Xms256m -Dhudson.DNSMultiCast.disabled= true -jar /Users/carlosrodlop/Support/labs/jenkins-home-oss/jenkins.war --httpPort=8184 --httpListenAddress=0.0.0.0 It is also working as expected, so you were right too by using a mock proxy out the range `999.999.999.999`

              People

              • Assignee:
                ifernandezcalvo Ivan Fernandez Calvo
                Reporter:
                carlosrodlop Carlos Rodríguez López
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: