This plugin lets you delegate the authentication to the reverse proxy that you run in front of Jenkins. It also includes Authorisation, which is done via LDAP groups loaded from the HTTP header or LDAP search - based on the username.
The default values for the HTTP header fields are:
If you see the error message "It appears that your reverse proxy set up is broken" in the "Manage Jenkins" page, here's what's happening.
For a reverse proxy to work correctly, it needs to rewrite both the request and the response. Request rewriting involves receiving an inbound HTTP call and then make a forwarding request to Jenkins (sometimes with some HTTP headers modified, sometimes not.) Failing to configure the request rewriting is easy to catch, because you just won't see any pages at all.
But proper reverse proxying also involves rewriting response. (Details: Hyperlinks in HTML) The primary place where this needs to happen is the "Location" header in the response, which is used during redirects. Jenkins would send back "Location: http://actual.server:8080/jenkins/foobar" and the reverse proxy needs to rewrite this to "Location: http://nice.name/jenkins/foobar". Unfortunately, failing to configure this correctly is harder to catch.
So Jenkins has a proactive monitoring to make sure this is configured correctly. It uses XmlHttpRequest to request a specific URL in Jenkins (via relative path, so this will always get through provided the request is properly rewritten), which will then redirect the user to another page in Jenkins (this only works correctly if you configured the response rewriting correctly), which then returns 200.
This error message indicates that this test is failing. The most likely cause is that you got the response rewriting incorrectly done. See Running Jenkins behind Apache / Running Jenkins behind Nginx for additional tips about reverse proxy. While the page talks primarily about Apache, it has some information that applies to other reverse proxies.
Note. The reverse proxy tests were improved in release 1.552 so users with previously working proxy setups may start to receive proxy warnings. If using Apache check that nocanon is set on ProxyPass and that AllowEncodedSlashes is set as per the Apache link above. (AllowEncodedSlashes is not inherited in Apache configs, so this directive must be placed inside the VirtualHost definition.)
Also, make sure to set the X-Forwarded-Proto header if your reverse proxy is accessed via HTTPS, but Jenkins itself is not.
For further diagnosis, try using cURL:
(assuming your Jenkins should be visible at http://your.reverse.proxy/jenkins/)
Skip to end of metadata Go to start of metadata