This plugin lets you delegate the authentication to the reverse proxy that you run in front of Jenkins. It also includes Authorisation, which is done via LDAP groups loaded from the HTTP header or LDAP search - based on the username.
The default values for the HTTP header fields are:
If you see the error message "It appears that your reverse proxy set up is broken" in the "Manage Jenkins" page, here's what's happening.
For a reverse proxy to work correctly, it needs to rewrite both the request and the response. Request rewriting involves receiving an inbound HTTP call and then make a forwarding request to Jenkins (sometimes with some HTTP headers modified, sometimes not.) Failing to configure the request rewriting is easy to catch, because you just won't see any pages at all.
But proper reverse proxying also involves rewriting response. The primary place where this needs to happen is the "Location" header in the response, which is used during redirects. Jenkins would send back "Location: http://actual.server:8080/jenkins/foobar" and the reverse proxy needs to rewrite this to "Location: http://nice.name/jenkins/foobar". Unfortunately, failing to configure this correctly is harder to catch.
So Jenkins has a proactive monitoring to make sure this is configured correctly. It uses XmlHttpRequest to request a specific URL in Jenkins (via relative path, so this will always get through provided the request is properly rewritten), which will then redirect the user to another page in Jenkins (this works correctly only if you got the reponse rewriting configured correctly), which then returns 200.
This error message indicates that this test is failing. The most likely cause is that you got the response rewriting incorrectly done. See Running Jenkins behind Apache for additional tips about reverse proxy. While the page talks primarily about Apache, it has some information that applies to other reverse proxies.
Note. The reverse proxy tests were improved in release 1.552 so users with previously working proxy setups may start to receive proxy warnings. If using Apache check that nocanon is set on ProxyPass and that AllowEncodedSlashes is set as per the Apache link above.
For further diagnosis, try wget --no-check-certificate --debug -O /dev/null http://your.reverse.proxy/jenkins/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test (assuming your Jenkins should be visible at http://your.reverse.proxy/jenkins/)
or using cURL:
Skip to end of metadata Go to start of metadata