Some comments on https://issues.jenkins-ci.org/browse/JENKINS-43666 <https://issues.jenkins-ci.org/browse/JENKINS-43666> suggest that proxy_buffering off; is needed for SSL connections. (I was also testing nginx reverse proxies in the past and have that setting in my SSL config; might have forgotten to update the SSL docs with my findings) Try setting that option, and if it works I can update the SSL section of the wiki page.
> On Oct 26, 2017, at 5:43 PM, 'Tomasz Chmielewski' via Jenkins Users > <[email protected]> wrote: > > nginx vhost is almost the exact copy of the vhost on > https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy: > > <https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy:> > > upstream jenkins { > server 127.0.0.1:8080 fail_timeout=0; > } > > server { > > listen 80; > server_name jenkins.my-domain; > > add_header X-Frame-Options SAMEORIGIN; > include /etc/nginx/release.conf; > > access_log /var/log/nginx/redirects-access.log vhosts; > error_log /var/log/nginx/redirects-error.log; > > rewrite ^ https://$host$request_uri? <https://$host$request_uri?> > permanent; > } > > > server { > > listen 443 ssl; > > server_name jenkins.my-domain; > > ssl_certificate ssl/my-domain.crt; > ssl_certificate_key ssl/my-domain.key; > ssl_dhparam ssl/dhparam-2048.pem; > add_header Strict-Transport-Security "max-age=31536000; > includeSubDomains"; > add_header X-Frame-Options SAMEORIGIN; > > access_log /var/log/nginx/jenkins.my-domain.access.log; > error_log /var/log/nginx/jenkins.my-domain.error.log; > > location / { > proxy_set_header Host $host:$server_port; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_redirect http:// https://; > proxy_pass http://jenkins <http://jenkins/>; > # Required for new HTTP-based CLI > proxy_http_version 1.1; > proxy_request_buffering off; > # workaround for > https://issues.jenkins-ci.org/browse/JENKINS-45651 > <https://issues.jenkins-ci.org/browse/JENKINS-45651> > add_header 'X-SSH-Endpoint' 'jenkins.my-domain:22' always; > } > } > > > So either I'm blind, or the documentation is somehow wrong? > > And indeed, I can see "java.io.IOException: HTTP full-duplex channel timeout" > in jenkins log. > > This one indeed works: > > java -jar jenkins-cli.jar -s http://localhost:8080 <https://jenkins-url/> > -auth user:pass help offline-node > > But since I need to execute it from remote, I'd rather connect to > https://jenkins.my-domain <https://jenkins.my-domain/> > > > On Friday, October 27, 2017 at 6:26:39 AM UTC+9, Devin Nusbaum wrote: > Make sure to follow > https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Nginx > <https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Nginx> if > Nginx is configured as a a reverse proxy. > > Notably proxy_http_version 1.1; and proxy_request_buffering off; are > required for your version of Jenkins. (If your Jenkins logs at the time you > try to connect via CLI have errors that say something to the effect of > “Full-duplex channel timeout” then I expect those settings to fix it.) > >> On Oct 26, 2017, at 5:18 PM, 'Tomasz Chmielewski' via Jenkins Users >> <jenkins...@ <>googlegroups. <http://googlegroups.com/>com >> <http://googlegroups.com/>> wrote: >> >> Except... it doesn't seem to work. >> >> $ java -jar jenkins-cli.jar -s https://jenkins-url <https://jenkins-url/> >> -auth user:pass help offline-node >> $ echo $? >> 255 >> >> In nginx log: >> >> 10.11.0.8 - user [26/Oct/2017:21:11:51 +0000] "GET / HTTP/1.1" 200 150393 >> "-" "Java/1.8.0_131" >> 10.11.0.8 - user [26/Oct/2017:21:11:52 +0000] "GET >> /crumbIssuer/api/xml/?xpath=concat(//crumbRequestField,\x22:\x22,//crumb) >> HTTP/1.1" 404 335 "-" "Java/1.8.0_131" >> 10.11.0.8 - user [26/Oct/2017:21:12:07 +0000] "POST /cli?remoting=false >> HTTP/1.1" 200 11 "-" "Java/1.8.0_131" >> 10.11.0.8 - user [26/Oct/2017:21:12:07 +0000] "POST /cli?remoting=false >> HTTP/1.1" 500 13912 "-" "Java/1.8.0_131" >> >> How do I debug this? >> >> >> >> On Friday, October 27, 2017 at 6:07:03 AM UTC+9, Tomasz Chmielewski wrote: >> Got it, thanks: >> >> https://wiki.jenkins.io/display/JENKINS/Jenkins+CLI >> <https://wiki.jenkins.io/display/JENKINS/Jenkins+CLI> >> >> On Friday, October 27, 2017 at 5:57:18 AM UTC+9, Robert Hales wrote: >> You have to use the Jenkins CLI. I guess that can be a bit confusing. It >> isn't a script available to run at the command line. Jenkins has their own >> CLI. If you google for it, you will find the details pretty easily. >> >> On Thursday, October 26, 2017 at 2:55:07 PM UTC-6, Tomasz Chmielewski wrote: >> Hmm, where do I find "offline-node" command? >> >> root@jenkins:~# dpkg -L jenkins >> /. >> /usr >> /usr/share >> /usr/share/doc >> /usr/share/doc/jenkins >> /usr/share/doc/jenkins/changelog.gz >> /usr/share/doc/jenkins/copyright >> /usr/share/jenkins >> /usr/share/jenkins/jenkins.war >> /etc >> /etc/logrotate.d >> /etc/logrotate.d/jenkins >> /etc/default >> /etc/default/jenkins >> /etc/init.d >> /etc/init.d/jenkins >> /var >> /var/cache >> /var/cache/jenkins >> /var/lib >> /var/lib/jenkins >> /var/log >> /var/log/jenkins >> >> root@jenkins:~# find / -name offline-node >> >> root@jenkins:~# >> >> root@jenkins:~# dpkg -l | grep jenkins >> ii jenkins 2.73.2 (...) >> >> >> >> On Friday, October 27, 2017 at 12:21:17 AM UTC+9, Robert Hales wrote: >> In the CLI, use the 'offline-node' command. Another useful command in what >> it looks like you want to do might be "wait-offline-node". >> >> You could also create a groovy script to do it and run that from the REST >> API. >> >> On Thursday, October 26, 2017 at 3:35:29 AM UTC-6, Tomasz Chmielewski wrote: >> Is there a CLI/scripted way to stop scheduling any new builds on a given >> node? >> >> Basically, any builds currently running on a given node should continue to >> run until they are finished -- and no new builds should be started. >> >> Think of "retiring" a node, and replacing it with a new one -- but allowing >> any existing jobs to finish gracefully. >> >> >> >> Tomasz Chmielewski >> https://lxadm.com <https://lxadm.com/> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Jenkins Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/jenkinsci-users/a19302b1-6ed1-44bb-b65b-28868a64708b%40googlegroups.com >> >> <https://groups.google.com/d/msgid/jenkinsci-users/a19302b1-6ed1-44bb-b65b-28868a64708b%40googlegroups.com?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-users/476c0ec2-753f-45bd-944b-2f9dcf60deae%40googlegroups.com > > <https://groups.google.com/d/msgid/jenkinsci-users/476c0ec2-753f-45bd-944b-2f9dcf60deae%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4330BA92-D768-4AE8-B213-2CC3E333C4FC%40cloudbees.com. For more options, visit https://groups.google.com/d/optout.
