All geek questions in one place

Jenkins does not redirect to HTTPS

Problem

I am using Jenkins over HTTPS/SSL (configuration details below). I can easily go to https://jenkins.mydomain.com:8088 . All links are correct with https:// in front of them. I can navigate correctly across almost all Jenkins pages.

Except when Jenkins tries to redirect (for example, after logging in, after clicking Build , etc.). Whenever Jenkins tries to redirect to any page, he sends me to the page http:// (not https:// )

What i tried

  • I tried to set the Jenkins URL setting in the global configuration. It works fine for everything except that it always redirects to http:// , despite the fact that the URL is https:// enter image description here
  • I tried following the instructions here regarding changing jenkins.xml with the port configuration, however, since my installation does not use the Jenkins Windows service installation, I just do not have jenkins.xml Is there any other place where I can specify Jenkins parameters?
  • I tried to understand what “mod_proxy with HTTPS” means, but I do not have a virtual host configuration. And besides, my Tomcat installation is not one that handles SSL. The problem, apparently, exists only in the Jenkins redirect mechanism, which ignores part of the Jenkins URL protocol from the global configuration.

Jenkins setup

  • Apache Tomcat runs on Windows
    • Jenkins.war , renamed to ROOT.war , is placed in the Tomcat webapps folder
    • Executing bin\tomcat6.exe //RS//Instance_Name
    • Configurable using Tomcat Windows Monitoring Service enter image description here
  • Several instances are configured on this computer that differ in different Tomcat folders and different Tomcat ports under the corresponding conf\server.xml
  • I inherited this setting. I do not know why they did not use their own installation package with the Windows service. There are multiple instances of Jenkins on this computer (across multiple instances of the Tomcat service). Attempting to change the installation type for all of these instances will result in an unacceptable amount of downtime.
  • Jenkins port 8088 , cannot use 443 for SSL, because several instances are running, and they cannot all have 443 , because the only way Instances are differentiated is through the port.

SSL setup

  • We have a global SSL certificate ( *.mydomain.com ) that is hosted on load balancing equipment. (I do not have access to the actual file)
  • There is no SSL on the real Windows server hosting Jenkins.
  • DNS for jenkins.mydomain.com resolves the virtual IP address on the load balancer, which then forwards it to the real Windows server hosting Jenkins.
  • There is nothing wrong with this setting; it works great for all other sites. This SSL setting is also great for our Jenkins instance.
+6
source share
2 answers

I suggest looking into server.xml and finding Connector and adding secure = "true" if you are using an HTTP proxy scheme. Redirection ports may also be involved.

 <Connector secure="true" port="8088" protocol="HTTP/1.1" URIEncoding="UTF-8" connectionTimeout="20000" />

For reference, we run Jenkins behind two Apache proxies, one external and one internal:

Relevant parts of our external vhost (jenkins.host.com):

  RequestHeader unset Authorization RequestHeader set Authorization "Basic (encrypted password)" ProxyPass / ajp://dev.internal:9101/ ProxyPassReverse / ajp://dev.internal:9101/

Relevant parts of tomcat server.xml:

 <Connector port="9001" protocol="HTTP/1.1" URIEncoding="UTF-8" connectionTimeout="20000" /> <Connector port="9101" protocol="AJP/1.3" URIEncoding="UTF-8"/> <Host name="dev.internal" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Alias>jenkins.host.com</Alias> <!-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html --> <!-- <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!-- Access log processes all example. Documentation at: /docs/config/valve.html Note: The pattern used is equivalent to using pattern="common" --> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="dev.internal_access_log." suffix=".txt" rotatable="false" pattern="%h %l %u %t &quot;%r&quot; %s %b" /> </Host>
+1
source

You may need to restart the Jenkins server to change the global configuration. Jenkins CI Cookbook says (highlights mine):

Jenkins uses Xstream ( http://x-stream.imtqy.com/ ) to save its configuration in a readable XML format. XML files in the workspace are configuration files for plugins, tasks, and a number of other stored information. config.xml is the main configuration file. Security settings and global configuration are set here, as well as changes made to the graphical interface. Plugins use the same structure, and XML values ​​correspond to member values ​​in the base classes of plugins. The GUI itself is created from XML through the Jelly framework ( http://commons.apache.org/jelly/ ).

By rebooting the server, you must be sure that any configuration changes will be selected at the initialization stage.

In addition, to make sure that no one ever accesses the Jenkins server via HTTP (for example, outdated links, manually entering a URL in a browser, etc.), you can force loadbalancer to rewrite the http:// URL to https:// URL .

Edit: An earlier version of this answer incorrectly suggested the following:

Tomcat rewrites the http:// URL to https:// using urlrewritefilter as suggested in this answer

which cannot be executed because the SSL certificate is on a loadbalancer that terminates the SSL connection, which means it says HTTP for Tomcat, so Tomcat would never see the https:// URL, so this sentence would cause an infinite redirect loop, ( Keeping this, because otherwise the comments below do not make sense).

+1
source

Source: https://habr.com/ru/post/969402/

More articles:


All Articles