[JIRA] (JENKINS-50767) Control initial crumb issuer proxy compatibility value
Title: Message Title Vincent Latombe updated JENKINS-50767 Jenkins / JENKINS-50767 Control initial crumb issuer proxy compatibility value Change By: Vincent Latombe Status: In Review Resolved Resolution: Fixed Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50767) Control initial crumb issuer proxy compatibility value
Title: Message Title SCM/JIRA link daemon commented on JENKINS-50767 Re: Control initial crumb issuer proxy compatibility value Code changed in jenkins User: Vincent Latombe Path: core/src/main/java/jenkins/install/SetupWizard.java http://jenkins-ci.org/commit/jenkins/909f55b77da1d4a0a16a818fe592504538e49430 Log: JENKINS-50767 Control crumb issuer proxy compatibility through system property (#3389) -Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true enables proxy compatibility on startup Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50767) Control initial crumb issuer proxy compatibility value
Title: Message Title Vincent Latombe commented on JENKINS-50767 Re: Control initial crumb issuer proxy compatibility value Indeed. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50767) Control initial crumb issuer proxy compatibility value
Title: Message Title Daniel Beck commented on JENKINS-50767 Re: Control initial crumb issuer proxy compatibility value To clarify, Azure does not offer a load balancer that does not have this problem? Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50767) Control initial crumb issuer proxy compatibility value
Title: Message Title
Vincent Latombe updated an issue
Jenkins / JENKINS-50767
Control initial crumb issuer proxy compatibility value
Change By:
Vincent Latombe
The Jenkins Setup Wizard enables the CSRF protection.By default, this takes into account the client IP.In some setups involving reverse proxies, the client IP seen by Jenkins is not the real client IP, but the IP of the reverse proxy. Sometimes, it is due to incorrect reverse proxy configuration, but in some other cases, it is a limitation that cannot be overcome.Examples:* Azure Load Balancer is a Layer 4 load balancer (TCP). The IP Jenkins sees is the internal IP of the load balancer. Since it is pooled, this IP can change from request to request and cause crumb error.* AWS ELB using TCP listener (Layer 4): same problem.Note: on AWS, it is possible to use a HTTP listener and it will set the http header X-Forwarded-For containing the real client IP and Jenkins doesn't need proxy compatibility . For https deployment you have to terminate the SSL connection at the ELB level, which is not the case when using the Layer 4 Load balancer. This default setttings can then cause problems (invalid crumb errors) when using the default setup.The goal of this issue is to provide a way to enable or disable the initial state on startup using a system property.e.g. {{-Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true}} will enable Proxy Compatibility on first startup.
Add Comment
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
[JIRA] (JENKINS-50767) Control initial crumb issuer proxy compatibility value
Title: Message Title
Vincent Latombe updated an issue
Jenkins / JENKINS-50767
Control initial crumb issuer proxy compatibility value
Change By:
Vincent Latombe
The Jenkins Setup Wizard enables the CSRF protection.By default, this takes into account the client IP.In some setups involving reverse proxies, the client IP seen by Jenkins is not the real client IP, but the IP of the reverse proxy. Sometimes, it is due to incorrect reverse proxy configuration, but in some other cases, it is a limitation that cannot be overcome. Examples:* Azure Load Balancer is a Layer 4 load balancer (TCP). The IP Jenkins sees is the internal IP of the load balancer. Since it is pooled, this IP can change from request to request and cause crumb error.* AWS ELB using TCP listener (Layer 4): same problem.Note: on AWS, it is possible to use a HTTP listener and it will set the http header X-Forwarded-For containing the real client IP and Jenkins doesn't need proxy compatibility This default setttings can then cause problems (invalid crumb errors) when using the default setup.The goal of this issue is to provide a way to enable or disable the initial state on startup using a system property.e.g. {{-Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true}} will enable Proxy Compatibility on first startup.
Add Comment
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
[JIRA] (JENKINS-50767) Control initial crumb issuer proxy compatibility value
Title: Message Title Vincent Latombe updated JENKINS-50767 Jenkins / JENKINS-50767 Control initial crumb issuer proxy compatibility value Change By: Vincent Latombe Status: In Progress Review Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50767) Control initial crumb issuer proxy compatibility value
Title: Message Title Vincent Latombe created an issue Jenkins / JENKINS-50767 Control initial crumb issuer proxy compatibility value Issue Type: Improvement Assignee: Unassigned Components: core Created: 2018-04-12 15:21 Priority: Minor Reporter: Vincent Latombe The Jenkins Setup Wizard enables the CSRF protection. By default, this takes into account the client IP. In some setups involving reverse proxies, the client IP seen by Jenkins is not the real client IP, but the IP of the reverse proxy. Sometimes, it is due to incorrect reverse proxy configuration, but in some other cases, it is a limitation that cannot be overcome. This default setttings can then cause problems (invalid crumb errors) when using the default setup. The goal of this issue is to provide a way to enable or disable the initial state on startup using a system property. e.g. -Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true will enable Proxy Compatibility on first startup. Add Comment
[JIRA] (JENKINS-50767) Control initial crumb issuer proxy compatibility value
Title: Message Title Vincent Latombe assigned an issue to Vincent Latombe Jenkins / JENKINS-50767 Control initial crumb issuer proxy compatibility value Change By: Vincent Latombe Assignee: Vincent Latombe Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-50767) Control initial crumb issuer proxy compatibility value
Title: Message Title Vincent Latombe started work on JENKINS-50767 Change By: Vincent Latombe Status: Open In Progress Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
