Jenkins behind an NGinX reverse proxy

Skip to end of metadata
Go to start of metadata

Running Jenkins from a subdomain (like http://jenkins.domain.tld)

Due to people are often struggling getting Jenkins to work behind an NGINX reverse proxy setup I've decided to share my currently running config.

Hope this could be of any help to someone.

server {
    listen 80;
    server_name jenkins.domain.tld;
    return 301 https://$host$request_uri;

server {

    listen 80;
    server_name jenkins.domain.tld;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the "It appears that your reverse proxy set up is broken" error.
      proxy_read_timeout  90;

      proxy_redirect https://jenkins.domain.tld;

Running from a subdomain with SSL

upstream jenkins {
  server fail_timeout=0;

server {
  listen 80;
  server_name jenkins.domain.tld;
  return 301 https://$host$request_uri;

server {
  listen 443 ssl;
  server_name jenkins.domain.tld;

  ssl_certificate /etc/nginx/ssl/server.crt;
  ssl_certificate_key /etc/nginx/ssl/server.key;

  location / {
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect http:// https://;
    proxy_pass              http://jenkins;

Running Jenkins from a folder with TLS encryption (like https://domain.tld/jenkins/)

However, you may want to access Jenkins from a folder on your main web server. This allows you to use the same TLS/SSL certificate as for your top level domain, whereas a sub-domain like jenkins.domain.tld may require a new TLS/SSL certificate (that seems to depend on your certificate provider). You can configure nginx as a reverse proxy to translate requests coming in from the WAN as https://domain.tld/jenkins/ to LAN requests to

Note that this example uses the same settings as currently listed on the wiki article at, but with different values for the proxy_pass and proxy_redirect directives.

server {

    # All your server and TLS/certificate settings are up here somewhere

    # Nginx configuration specific to Jenkins
    # Note that regex takes precedence, so use of "^~" ensures earlier evaluation
    location ^~ /jenkins/ {

        # Convert inbound WAN requests for https://domain.tld/jenkins/ to 
        # local network requests for
	# Rewrite HTTPS requests from WAN to HTTP requests on LAN
        proxy_redirect http:// https://;

        # The following settings from
        sendfile off;

        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_max_temp_file_size 0;

        #this is the maximum upload size
        client_max_body_size       10m;
        client_body_buffer_size    128k;

        proxy_connect_timeout      90;
        proxy_send_timeout         90;
        proxy_read_timeout         90;

        proxy_buffer_size          4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;

In addition, you must ensure that Jenkins is configured to listen for requests to the /jenkins/ folder (e.g. instead of Do that by adding the parameter --prefix=/jenkins to the Jenkins default start-up configuration file. On my system (Ubuntu 12.04 LTS) the configuration file is /etc/default/jenkins. For example, here's the full JENKINS_ARG parameter list (the only part I added was --prefix=/jenkins):

JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --prefix=/jenkins"

Once configured, you should also set the URL used by the Jenkins UI at Jenkins > Manage Jenkins > Jenkins Location > Jenkins URL to something like:  "https://domain.tld/jenkins/. 

Being compatible with CSRF protection

If you enable "Prevent Cross Site Request Forgery exploits" in the Configure Global Security page, you'll need special care for Jenkins to work behind a proxy. You'll need to enable the Enable proxy compatibility checkbox. And you'll need to add to your nginx configuration the following fragment:

http {
  ignore_invalid_headers off;

This is required because Jenkins uses a custom HTTP header named .crumb. See bug for details.


service service Delete
air air Delete
panas panas Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Add Comment