On Sun, Apr 27, 2014 at 09:54:30PM -0700, Scott Hendrickson wrote: > After some effort, I finally got Apache with an SSL connection to correctly > proxy to Jenkins at localhost:8080/jenkins. There were two issues: > > (1) The AllowEncodedSlashes setting is not inherited by virtual hosts, and > virtual hosts are used in many default Apache configurations, such as the > one in Ubuntu. The workaround is to add the AllowEncodedSlashes setting > inside a VirtualHost container (/etc/apache2/sites-available/default in > Ubuntu). ( this text was copied from here: > http://stackoverflow.com/questions/4390436/need-to-allow-encoded-slashes-on-apache > ). > An Apache bug (#46830) was opened and fixed. However, it is still an issue > in Apache 2.4.7 on Ubuntu. > > When only declared globally, Jenkins reports that the reverse proxy setup > is broken. It might be worth mentioning this as a possible cause > here: > https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+says+my+reverse+proxy+setup+is+broken
This is potentially useful. (It didn't even occur to me to put any Jenkins-specific configuration *outside* my <VirtualHost> directive.) > (2) Some pages returned absolute links (e.g., > "http://localhost:8080/jenkins/..."; ) rather than relative links. > Specifically, go to Jenkins' "People" page and select a user. The user's > icon is broken. To fix this, I added an output filter that made any > absolute links relative. I didn't have this problem. > Here's my final Apache configuration file: > > # The following directive is not inherited by virtual hosts and *must* > additionally be copied to each virtual host declaration > AllowEncodedSlashes NoDecode > > # Jenkins must be configured with prefix "/jenkins" and port 8080 > <Proxy http://localhost:8080/jenkins*> > Order deny,allow > Allow from all > </Proxy> > <Location /jenkins> > ProxyPass http://localhost:8080/jenkins nocanon > ProxyPassReverse http://localhost:8080/jenkins You're missing ProxyPreserveHost On and my guess is that's why you need to work around invalid links with your output filers and 'Header edit Location' > Header edit Location ^http://([^/]+)/jenkins https://$1/jenkins > > # This fixes absolute links to http://localhost:8080/jenkins > AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html > Substitute "s|http://localhost:8080/|/|n" > > Order deny,allow > Allow from all > Require all granted This is weird: Order deny,allow Allow from all is Apache 2.0/2.2 syntax, no longer supported in 2.4 unless you enable a compatibility module (which Debian/Ubuntu load by default). Require all granted is Apache 2.4 syntax, not supported in 2.2. Why have both? > </Location> Marius Gedminas -- EMACS is a good OS. The only thing it lacks is a decent text-editor.
signature.asc
Description: Digital signature
