-
Bug
-
Resolution: Not A Defect
-
Minor
-
None
Hello,
I have a Jenkins running behind a Apache Reverse Proxy which does SSL termination.
I configure a "ressource root url", so I can open pdf build artefacts in the browser. But if I try to access the artifact url, I get a "HTTP ERROR 404 Not found" response from jetty.
I have this Problem on a Debian Buster with Jenkins 2.222.4 and also with the latest docker image.
Steps with which I just reproduced this issue:
Setup Jenkins:
docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:latest
Setup Apache:
apt install apache2 a2enmod ssl a2enmod proxy a2enmod proxy_http
Apache Config (without instruction to setup ssl-cerificates, because I already had them):
<VirtualHost *:80> ServerName jenkins Redirect / https://jenkins/ </VirtualHost> <VirtualHost *:80> ServerName jenkins-ressources Redirect / https://jenkins-ressources/ </VirtualHost> <VirtualHost *:443> ServerName jenkins ProxyRequests Off ProxyPreserveHost On ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ SSLEngine on SSLCertificateFile "/etc/ssl/private/testing/cert.pem" SSLCertificateKeyFile "/etc/ssl/private/testing/privkey.pem" SSLCertificateChainFile "/etc/ssl/private/testing/chain.pem" </VirtualHost> <VirtualHost *:443> ServerName jenkins-ressources ProxyRequests Off ProxyPreserveHost On ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ SSLEngine on SSLCertificateFile "/etc/ssl/private/testing/cert.pem" SSLCertificateKeyFile "/etc/ssl/private/testing/privkey.pem" SSLCertificateChainFile "/etc/ssl/private/testing/chain.pem" </VirtualHost>
Jenkins URL: https://jenkins/
Ressource root URL: https://jenkins-ressources/
Create a simple Job with shell-command echo "test" > test.pdf and Post-Action which archives "*".
If I click on the resulting artifact (http://jenkins/job/test/7/artifact/test.pdf) I get a redirect to https://jenkins-ressources/static-files/_aAcXOgKhpXSEENcNicNRH0Aa4FOEw6VZ9yx0bI87nIxNTkwNzUzNDc3ODQyOjU6YWRtaW46am9iL3Rlc3QvOC9hcnRpZmFjdA==/test.pdf
There I get:
HTTP ERROR 404 Not Found URI: /static-files/_aAcXOgKhpXSEENcNicNRH0Aa4FOEw6VZ9yx0bI87nIxNTkwNzUzNDc3ODQyOjU6YWRtaW46am9iL3Rlc3QvOC9hcnRpZmFjdA==/test.pdf STATUS: 404 MESSAGE: Not Found SERVLET: Stapler Powered by Jetty:// 9.4.27.v20200227
If I use "http://jenkins-ressources/" (without ssl) as ressource root URL, it does load the pdf.
This way it does a double redirect, from https://jenkins/job/test/8/artifact/test.pdf to http://jenkins-ressources/static-files/_aAcXOgKhpXSEENcNicNRH0Aa4FOEw6VZ9yx0bI87nIxNTkwNzUzNDc3ODQyOjU6YWRtaW46am9iL3Rlc3QvOC9hcnRpZmFjdA==/test.pdf
to https://jenkins-ressources/static-files/_aAcXOgKhpXSEENcNicNRH0Aa4FOEw6VZ9yx0bI87nIxNTkwNzUzNDc3ODQyOjU6YWRtaW46am9iL3Rlc3QvOC9hcnRpZmFjdA==/test.pdf
This "works" but would expose the artefact URL via unencrypted http-to-https redirect.
I looked at the traffic which goes to the jenkins container. In both cases the request looks identical, so I don't think, that apache adds strange headers or anything else which breaks this feature.
This is the header for both cases, but with http it gives a HTTP 200 and with https a HTTP 404:
GET /static-files/_aAcXOgKhpXSEENcNicNRH0Aa4FOEw6VZ9yx0bI87nIxNTkwNzUzNDc3ODQyOjU6YWRtaW46am9iL3Rlc3QvOC9hcnRpZmFjdA==/test.pdf HTTP/1.1
Host: jenkins-ressources
User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 100.124.xxx.yyy
X-Forwarded-Host: jenkins-ressources
X-Forwarded-Server: jenkins-ressources
Connection: Keep-Alive
So I guess, Jenkins just doesn't like it, if the ressource root url is for https, but doesn't terminate ssl itself.
Can this be fixed or is there a secure workaround?
Best regards,
Christian