Jenkins reports reverse proxy setup incorrect with Apache using virtual hosts with SNI

apache-2.2Jenkinssnivirtualhost

I'm setting up a Jenkins server, to run under Tomcat behind Apache. I'm using virtual hosts with SSL using SNI so I can access it at https://jenkins.example.com, and serve something else on, say, http://www.example.com.

I've got it up and running, but when I click "Manage Jenkins", it tells me It appears your reverse proxy setup is broken.

Note that I'm using a self-signed SSL certificate, and jenkins.example.com is not the default virtual hosts.

The relevant apache config looks like this: 

<VirtualHost *:80>
        ServerName jenkins.example.com
        Redirect / https://jenkins.example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName jenkins.example.com

  SSLEngine on

  SSLCertificateFile    /etc/ssl/certs/jenkins.example.com.crt
  SSLCertificateKeyFile /etc/ssl/private/jenkins.example.com.key

  <Location />
     AuthType Digest
     AuthName "Jenkins"
     AuthUserFile "/etc/htpasswords"
     Require valid-user
   </Location>

   ProxyRequests     Off
   ProxyPreserveHost On

   <Proxy http://localhost:8080*>
     Order deny,allow
       Allow from all
   </Proxy>

   ProxyPass         /  http://localhost:8080/
   ProxyPassReverse  /  http://localhost:8080/
   ProxyPassReverse  /  https://jenkins.example.com

</VirtualHost>

If I do:

curl --user "username:password" --digest -k https://jenkins.example.com/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test -L

Then I see the output:

<div/>

If I run wget with debug, then I see at that some point wget gets a pointer to http instead of https, not sure why that's happening or if it's related, but it does redirect properly:

---response begin---
HTTP/1.1 302 Moved Temporarily
Date: Tue, 17 Jan 2012 19:47:16 GMT
Server: Apache-Coyote/1.1
Location: http://jenkins.example.com/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test-for-reverse-proxy-setup
Content-Length: 0
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/plain

I'm running on Ubuntu 11.04, Apache 2.2.17, Tomcat 6.0.28, Jenkins 1.448.

Best Answer

The one issue that I see with your config is that:

ProxyPassReverse  /  https://jenkins.example.com

Should be:

ProxyPassReverse  /  https://jenkins.example.com/

Seems like the service is sending http:// instead of https:// location headers (probably because your connection to its listener from Apache is unencrypted on the localhost listener), in which case you'll need to add:

ProxyPassReverse  /  http://jenkins.example.com/

So, what's probably occurring currently is the API call is failing because it gets an http:// address in the Location: header of the redirect (which is missed for un-translation in the ProxyPassReverse because it's not http).

It sends the request to that location and gets another redirect response, from your <VirtualHost *:80>. Their validity checker knows that ain't right and errors, while curl follows one more redirect and gets a valid response.

Add the ProxyPassReverse for http:// above and this should correct the issue, if I'm right.

Related Topic