Reverse proxy - HAProxy

This site is the new docs site currently being tested. For the actual docs in use please go to https://www.jenkins.io/doc.

In situations where you want a user friendly URL, different public ports, or to terminate SSL connections before they reach Jenkins, you may find it useful to run Jenkins (or the servlet container that Jenkins runs in) behind HAProxy. This section discusses some of the approaches for doing this.

This 6 minute video tutorial from Darin Pope configures an HAProxy reverse proxy.

Configuring an HAProxy reverse proxy

Plain HTTP

Using HAProxy 2.6.7, here is an example HAProxy.cfg to proxy over plain HTTP:

# If you already have an haproxy.cfg file, you can probably leave the
# global and defaults section as-is, but you might need to increase the
# timeouts so that long-running CLI commands will work.
global
    maxconn 4096
    log stdout local0 debug

defaults
   log global
   option httplog
   option dontlognull
   option forwardfor
   maxconn 20
   timeout connect 5s
   timeout client 60s
   timeout server 60s

frontend http-in
  log stdout format raw local0 debug #for additional logging
  bind *:80
  mode http
  acl prefixed-with-jenkins  path_beg /jenkins
  # Use http-request redirect prefix to add /jenkins prefix to URL's location
  # to ensure jenkins base url (context path) is working properly.
  http-request redirect code 301 prefix /jenkins unless prefixed-with-jenkins
  use_backend jenkins if prefixed-with-jenkins

backend jenkins
  log stdout format raw local0 debug
  mode http
  server jenkins1 127.0.0.1:8080 check
  http-request replace-path /jenkins(/)?(.*) /\2
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Host %[req.hdr(Host)]

This assumes Jenkins is running locally on port 8080.

This assumes that you are using the /jenkins context path for both the site exposed from HAProxy and Jenkins itself. If this is not the case, you will need to adjust the configuration. Refer to the HAProxy documentation on traffic routing for more information.

If you are experiencing the following error when attempting to run long CLI commands in Jenkins, and Jenkins is running behind HAProxy, it is probably due to HAProxy timing out the CLI connection. You can increase the timeout client and timeout server settings as necessary so the command will complete successfully.

WARNING: null
hudson.cli.DiagnosedStreamCorruptionException
Read back: 0x00 0x00 0x00 0x1e 0x07
           'Started reverse-proxy-test #68'
           0x00 0x00 0x00 0x01 0x07 0x0a
Read ahead:
Diagnosis problem:
    java.io.IOException: Premature EOF
        at sun.net.www.http.ChunkedInputStream.readAheadBlocking(ChunkedInputStream.java:565)
        ...
    at hudson.cli.FlightRecorderInputStream.analyzeCrash(FlightRecorderInputStream.java:82)
    at hudson.cli.PlainCLIProtocol$EitherSide$Reader.run(PlainCLIProtocol.java:153)
Caused by: java.io.IOException: Premature EOF
    at sun.net.www.http.ChunkedInputStream.readAheadBlocking(ChunkedInputStream.java:565)
    ...
    at java.io.DataInputStream.readInt(DataInputStream.java:387)
    at hudson.cli.PlainCLIProtocol$EitherSide$Reader.run(PlainCLIProtocol.java:111)

With SSL

Using HAProxy 2.6.7, here is an example HAProxy.cfg to connect to the proxy using SSL, terminate the SSL connection, and then talk to Jenkins using plain HTTP:

# If you already have an haproxy.cfg file, you can probably leave the
# global and defaults section as-is, but you might need to increase the
# timeouts so that long-running CLI commands will work.

global
    maxconn 4096
    log stdout local0 debug

defaults
   log global
   option httplog
   option dontlognull
   option forwardfor
   maxconn 20
   timeout connect 5s
   timeout client 5m
   timeout server 5m

frontend http-in
  log stdout format raw local0 debug
  bind *:80
  bind *:443 ssl crt /usr/local/etc/haproxy/ssl/server.pem
  mode http
  acl prefixed-with-jenkins  path_beg /jenkins
  http-request redirect code 301 prefix /jenkins unless prefixed-with-jenkins
  redirect scheme https if !{ ssl_fc } # Redirect http requests to https
  use_backend jenkins if prefixed-with-jenkins

backend jenkins
  log stdout format raw  local0 debug
  mode http
  server jenkins1 127.0.0.1:8080 check
  http-request replace-path /jenkins(/)?(.*) /\2
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Host %[req.hdr(Host)]

Context path

The context path is the prefix of a URL path. The Jenkins controller and the reverse proxy must use the same context path. For example, if the Jenkins controller URL is https://www.example.com/jenkins/ then the --prefix=/jenkins argument must be included in the Jenkins controller command line arguments.

Set the context path when using the Linux packages by running systemctl edit jenkins and adding the following:

[Service]
Environment="JENKINS_PREFIX=/jenkins"

Set the context path on Windows controllers by including the --prefix command line argument in the jenkins.xml file in the installation directory.

Ensure that Jenkins is running at the context path where your reverse proxy is serving Jenkins. You will have the least pain if you keep to this principle.

The --prefix command line argument is not needed if the context path is empty. For example, the URL https://jenkins.example.com/ has an empty context path.