Ssl – Apache reverse proxy config with SSL for Jenkins and Sonar

apache-2.2apache-2.4Jenkinssslssl-certificate

I am running two services behind an Apache server: Jenkins (Port 8080) and SonarQube (Port 9000).

My apache config looks like this:

<VirtualHost *:80>
  ServerName server
  Redirect permanent / https://server.domain.com/
</VirtualHost>

<VirtualHost *:80>
  ServerName server.domain.com
  Redirect permanent / https://server.domain.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName server.domain.com

  SSLEngine on
  SSLCertificateFile /etc/ssl/certs/server.crt
  SSLCertificateKeyFile /etc/ssl/private/server.key

  ProxyPass        /jenkins http://localhost:8080/jenkins nocanon
  ProxyPassReverse /jenkins http://localhost:8080/jenkins
  ProxyPassReverse /jenkins http://server.domain.com/jenkins
  ProxyPassReverse /jenkins https://server.domain.com/jenkins

  ProxyPass        /sonar http://localhost:9000/sonar nocanon
  ProxyPassReverse /sonar http://localhost:9000/sonar

  AllowEncodedSlashes NoDecode
  ProxyRequests Off
  ProxyPreserveHost On
  <Proxy http://localhost:8080/*>
    Order deny,allow
    Allow from all
  </Proxy>
</VirtualHost>

Everything seems to be working fine, except that Jenkins is complaining with this message: It appears that your reverse proxy set up is broken.

When I run the ReverseProxySetupMonitor test provided by Jenkins, the error message indicates that something with the reverse proxy is not set up correctly, as is does not replace http with https:

$ curl -iLk -e https://server.domain.com/jenkins/manage https://server.domain.com/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test
[...]
404 http://server.domain.com/jenkins/manage vs. https://server.domain.com/jenkins/manage
[...]

This only appeared after I enabled SSL on the server (which is now using a self-signed certificate).

Question:
How do I fix the reverse proxy setup so that Jenkins is happy? Bonus points for tips on how to improve the apache config file.

I already checked the following two related questions:

Best Answer

This page on wiki Jenkins mentioned that as per July 2014, the recommended configuration for Jenkins reverse proxy. The missing parameter is RequestHeader set X-Forwarded-Proto "https" and RequestHeader set X-Forwarded-Port "443"

So the configuration became

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/cert.pem
    ServerAdmin  webmaster@localhost
    ProxyRequests     Off
    ProxyPreserveHost On
    AllowEncodedSlashes NoDecode
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyPass         /  http://localhost:8080/ nocanon
    ProxyPassReverse  /  http://localhost:8080/
    ProxyPassReverse  /  http://www.example.com/
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
Related Topic