Jenkins / Apache Reverse Proxy Error - apache

I am running into an issue that seems to be fairly common based off of my searches, however I've followed all the instructions and/or fixes I've run into but none have worked for me so I'm asking this hoping someone can guide me in the right direction.
I have Jenkins 1.644 installed on OS X 10.11.2 from Homebrew. I followed these instructions on how to install and get it setup inside OS X Server 5.0.15 Websites (I believe this version of OS X server is running Apache 2.4.16.
The problem: When I connect to the manage console in Jenkins, I get the error message "It appears that your reverse proxy set up is broken." and a link to this jenkins doc.
Hitting http://127.0.0.1:8080/manage does not produce the error.
I have added the proxy settings to my virtual host file like so:
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
ProxyPassReverse / http://jenkins.exampledomain.com/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
When I do the test curl:
curl -iLk -e https://jenkins.exampledomain.com/manage \
https://jenkins.exampledomain.com/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test
I get the following results:
HTTP/1.1 302 Found
Date: Fri, 22 Jan 2016 06:30:57 GMT
Server: Jetty(winstone-2.9)
X-Content-Type-Options: nosniff
Location: https://jenkins.exampledomain.com/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Fjenkins.exampledomain.com%2Fmanage/
Content-Length: 0
MS-Author-Via: DAV
HTTP/1.1 404 Not Found
Date: Fri, 22 Jan 2016 06:30:57 GMT
Server: Apache/2.4.16 (Unix) OpenSSL/0.9.8zg
Content-Length: 325
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https://jenkins.exampledomain.com/manage/ was not found on this server.</p>
</body></html>
Clearly that address is on this server because I can enter the management console by going to the correct address.
I'm stuck... Apache configuration is not my strong point. I'm looking for any help.
--EDIT More Info--
Adding the full virtual host file from the /Library/Server/Web/Config/apache2/sites directory for further detail.
<VirtualHost 127.0.0.1:34543>
ServerName https://jenkins.exampledomain.com:443
ServerAdmin admin#example.com
DocumentRoot "/Library/Server/Web/Data/Sites/jenkins.exampledomain.com"
DirectoryIndex index.html index.php default.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log
<IfModule mod_ssl.c>
SSLEngine On
SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
SSLProtocol -ALL +TLSv1
SSLProxyEngine On
SSLCertificateFile "/etc/certificates/machine.local.certCA1FileLocation.pem"
SSLCertificateKeyFile "/etc/certificates/machine.local.certCA2FileLocation.key.pem"
SSLCertificateChainFile "/etc/certificates/machine.local.certCA3FileLocation.chain.pem"
SSLProxyProtocol -ALL +TLSv1
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
</IfModule>
<Directory "/Library/Server/Web/Data/Sites/jenkins.exampledomain.com">
Options All -Indexes -ExecCGI -Includes +MultiViews
AllowOverride None
<IfModule mod_dav.c>
DAV Off
</IfModule>
<IfDefine !WEBSERVICE_ON>
Require all denied
ErrorDocument 403 /customerror/websitesoff403.html
</IfDefine>
</Directory>
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
ProxyPassReverse / http://jenkins.exampledomain.com/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
--EDIT 2 Another Finding--
I have noticed by attempting to curl to the 'not found' url above that indeed the server is reporting it not found. If I hit https://jenkins.exampledomain.com/manage/ I will get a 404. However, if I leave off the trailing /, it works. https://jenkins.exampledomain.com/manage is successful. Hopefully this means something to someone!
Thanks

I know this is an old question, but I was having the same problem with the error:
HTTP ERROR 404
Problem accessing /administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Fbuild.scopeitconsulting.com%2Fmanage/. Reason:
http://build.domain.com/manage vs. https://build.domain.com/manage
I was able to solve my problem by including the two lines from the author's question:
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
So here is my relevant section from a working ssl.conf configuration in case it helps anybody. I am running Jenkins on port 8080 at the root context with http but reverse proxying it behind Apache enforcing https.
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
ProxyPassReverse / http://build.domain.com/
ProxyPassReverse / https://build.domain.com/
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
<Proxy http://localhost:8080/>
Order deny,allow
Allow from all
</Proxy>
I hope this helps somebody who like me has spent way too much time trying to find a working configuration to resolve the error.

You need to add below to catalina.properties file. Updating Apache configuration itself is not sufficient.
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

Related

How to solve forbidden error for mp3 files in apache?

I am working on a project build on spring boot. So now I am trying to access mp3 files deployed on apache webserver path /home/tomcat/webapps/example/WEB-INF/classes/static/public/example-content/Chapter-1/Audio/1.mp3. But I am getting 403 status saying forbidden error. I have configured my project for port 443 virtual host and given all permission to folders and files also.
Below is the virtual host configuration:
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
SSLEngine on
SSLCertificateFile /home/cert/example/ssl.cer
SSLCertificateKeyFile /home/cert/example/private.key
SSLCertificateChainFile /home/cert/example/caclient.cer
DocumentRoot /home/tomcat/webapps/example
<Directory /home/tomcat/webapps/example/WEB-INF/classes/static/public/example-content/Chapter-1/Audio>
Options -Indexes +FollowSymLinks +MultiViews
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ProxyRequests on
ProxyPass / http://localhost:9111/example/
ProxyPassReverse / http://localhost:9111/example/
ProxyPassReverseCookiePath /example /
ProxyPassReverseCookieDomain example.com www.example.com
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
But still getting same error each time. I don't know where I am doing mistake. If you have any suggestions or solutions, please provide me.
Screenshot of forbidden error

LocationMatch not matching like Location (Apache 2.4)

I'm trying to understand what is going on with LocationMatch. Right now I have a Location similar to the following,
<Location "/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</Location>
Next I change only Location to LocationMatch, as below, and that works fine.
<LocationMatch "/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</LocationMatch>
But as soon as I introduce a regular expression this no longer matches correctly. For example, I want to match paths starting with /context,
<LocationMatch "^/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</LocationMatch>
I've been through the documentation multiple times and can't seem to figure out why this regex doesn't match. I've also seen SOQs like Apache LocationMatch matching urls starting with... but this regex doesn't work. I have a single VirtualHost on a vanilla Ubuntu apache2 install with this single LocationMatch. The entire conf file looks like this,
ProxyRequests off
PassEnv HTTPD_SERVER_NAME HTTPD_SERVER_ADMIN SSL_CERTIFICATE_FILE SSL_CERTIFICATE_KEY_FILE
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile ${SSL_CERTIFICATE_FILE}
SSLCertificateKeyFile ${SSL_CERTIFICATE_KEY_FILE}
Protocols h2 http/1.1
ServerName ${HTTPD_SERVER_NAME}
ServerAdmin ${HTTPD_SERVER_ADMIN}
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
# Requires Apache >= 2.4.11
SSLSessionTickets Off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<LocationMatch "^/context">
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
ProxyPass http://example.com/context retry=0 connectiontimeout=300 timeout=300
ProxyPassReverse http://example.com/context
</LocationMatch>
</VirtualHost>
My question is, should <LocationMatch "^/context"> match URLs starting with /context? For example, https://mydomain/context? And if this should match, any idea what else could be interfering? I'm on version 2.4.41, but I've seen this behavior since at least 2.4.6. Thanks
According to the Apache docs on the ProxyPass directive:
When used inside a <Location> section, the first argument is omitted
and the local directory is obtained from the <Location>. The same will
occur inside a <LocationMatch> section; however, ProxyPass does not
interpret the regexp as such, so it is necessary to use ProxyPassMatch
in this situation instead.
If I understand this correctly, it's not that your <Location> regex is invalid, it's just that your <ProxyPass> doesn't interpret it as a regex. So use <ProxyPassMatch> instead.
Also, this SO question led me to some other pages which support the idea that <LocationMatch> and <ProxyPass> are incompatible with each other:
As indicated by this comment and this page, I need to replace
ProxyPass [with] ProxyPassMatch when using that inside a LocationMatch block

Why following proxy does not bypass X-Frame-Options header?

I need to show some sites in a iframe and I cannot do that directly as some of those sites have the header X-Frame-Options set to 'SAMEORIGIN'. As a way to bypass this I tried using an reverse proxy in apache. Below is the my apache configuration
<VirtualHost *:80>
ServerName google.local
ProxyRequests Off
DocumentRoot /var/www/html/iframe-test
ProxyPass /test http://www.oracle.com/index.html
ProxyPassReverse /test http://www.oracle.com/index.html
ErrorLog /var/log/apache2/google.local-error.log
CustomLog /var/log/apache2/google.local-access.log combined
<Location *>
AllowOverride All
Order allow,deny
Allow from all
# Header always append X-Frame-Options "ALLOW-FROM all"
Header add test-header 'test'
</Location>
But still I cannot load the site in iframe and I am getting the error Load denied by X-Frame-Options: https://www.oracle.com/index.html does not permit cross-origin framing.
The issue with the above configuration was that the proxy only worked for http protocol. But as seen in the console error message the external site actually redirect http to https automatically.
So to handle the https requests all it was needed to enable ssl in apache and turn on SSLProxyEngine. To do that,
run sudo a2enmod ssl on terminal
add the line 'SSLProxyEngine On' to the above config
<VirtualHost *:80>
ServerName google.local
ProxyRequests On
ProxyPreserveHost Off
SSLProxyEngine On
DocumentRoot /var/www/html/iframe-test
ProxyPass /test http://www.oracle.com/index.html
ProxyPassReverse /test http://www.oracle.com/index.html
ErrorLog /var/log/apache2/google.local-error.log
CustomLog /var/log/apache2/google.local-access.log combined
<Location *>
AllowOverride All
Order allow,deny
Allow from all
# Header always append X-Frame-Options "ALLOW-FROM all"
Header add test-header 'test'
</Location>
</VirtualHost>

Apache 2.2 reverse-proxy behind Nexus 3

The apache server is configure with following items :
<VirtualHost *:80>
...
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /jenkins/ http://localhost:8080/ timeout=300
ProxyHTMLURLMap http://localhost:8080 /jenkins
<Location /jenkins/>
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLExtended On
ProxyHTMLURLMap / /jenkins/ [L]
RequestHeader unset Accept-Encoding
</Location>
ProxyPass /nexus/ http://localhost:8081/ timeout=300
ProxyHTMLURLMap http://localhost:8081 /nexus
<Location /nexus/>
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLExtended On
ProxyHTMLURLMap / /nexus/ [L]
RequestHeader unset Accept-Encoding
</Location>
ProxyVia On
</IfModule>
Jenkins proxy works fine.
Nexus proxy load the page but cannot load resources. The HTML page ressources are not defined with the right path, instead of myhost.domain/nexus/static/... the URLs are myhost.domain/static/.... What's going wrong in the configuration ?
The solution is to switch Nexus context path configuration to '/nexus/'. In general, it seems that the nexus context path must match the proxy context path.

Apache reverse proxy to https server

I'm trying to setup reverse proxy to some web service, so I can develop JavaScript Ajax application on localhost. I have managed to do it with Apache following way:
ProxyPass /serviceproxy/ http://someservice.com/
ProxyPassReverse /serviceproxy/ http://someservice.com/
ProxyHTMLURLMap http://someservice.com/ /serviceproxy/
<Location /serviceproxy>
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /serviceproxy/
ProxyHTMLURLMap http://someservice.com/
RequestHeader unset Accept-Encoding
</Location>
That works fine for http webpages, but not for https pages. If I set proxy to https://someservice.com/, Apache returns 500 Internal server error. I'm new to Apache configuration. How to make it work? Is it even possible?
thanks
You have to enable Ssl module (a2enmod ssl) Then in /etc/apache2/sites-available/default file include following lines
RequestHeader set X-Forwarded-Proto "https"
ServerName localhost
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
Between line
ServerAdmin webmaster#localhost
and line
DocumentRoot /var/www
Hope it helps.