我有一个jenkins生成器服务器,我正在尝试使用Nginx设置反向代理.我遵循了jenkins站点上的所有howto和文档,但唯一不同的是我需要服务器可以在不同于标准https端口的其他端口上访问.
必须通过https://jenkins.example.com:9090可以访问服务器,该服务器现在可以工作,但是我仍然遇到一些问题.在Manage Jenkins中,我不断收到消息
It appears that your reverse proxy set up is broken
同样,当我登录或应用或保存一些配置更改时,我一直重定向到https://jenkins.example.com,但没有端口号.
当我检查curl并在标题的某些页面中查找时,它会将位置标题设置为正确的url,但没有端口号.
我在Nginx中有以下配置
server {
listen 443 ssl spdy;
server_name jenkins.example.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options "DENY";
ssl on;
ssl_certificate /etc/Nginx/ssl/server.chain.crt;
ssl_certificate_key /etc/Nginx/ssl/server.key;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-$
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Diffie-Hellman parameter for DHE ciphersuites,recommended 2048 bits
ssl_dhparam /etc/Nginx/ssl/dhparam.pem;
# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving,scalable manner)
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
resolver 8.8.8.8;
ssl_stapling on;
ssl_trusted_certificate /etc/Nginx/ssl/server.crt;
access_log /var/log/Nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the "It appears that your reverse proxy set up is broken" error.
proxy_pass http://127.0.0.1:8080/;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1:8080 https://jenkins.example.com:9090;
}
}
在jenkins的默认配置中,我添加了–httpListenAddress = 127.0.0.1,并在Manage Jenkins中添加了>.配置系统我已将正确的URL(端口号为https://jenkins.example.com:9090/)添加到Jenkins位置.
curl -I https://jenkins.example.com:9090/scriptApproval
HTTP/1.1 302 Found
Server: Nginx/1.9.4
Date: Thu,24 Sep 2015 13:17:56 GMT
Content-Length: 0
Connection: keep-alive
X-Content-Type-Options: nosniff
Location: https://jenkin.example.com/scriptApproval/
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: DENY
更新1
添加proxy_set_header X-Forwarded-Port 9090时;到Nginx配置,这似乎可以修复错误看来,您的反向代理设置在“设置”页面上已损坏.
更新2
也许与斜杠有关.当我用curl调用https://build.example.com:9090/pluginManager/时,我从jenkins得到了403禁止响应,但是当我调用https://build.example.com:9090/pluginManager时却没有结尾的斜线找到302响应并将位置标头设置为https://build.example.com/pluginManager/
更新3
该服务器连接在共享的Internet上,并连接了我无法控制的更多服务器.它仅运行Jenkins CI和Nginx,它们应该是反向代理.路由器上的WAN端口列出到端口9090,该端口转发到端口443上的服务器,该服务器应该是Nginx,后者应将所有内容代理到正在监听端口8080的Jenkins-CI.
更新4
这是我尝试过的当前配置.这似乎也不起作用.
upstream jenkins {
server 127.0.0.1:8080 fail_timeout=0;
}
server {
listen 9090 default ssl http2;
server_name build.pixplicity.com;
ssl on;
ssl_certificate /etc/Nginx/ssl/server.chain.crt;
ssl_certificate_key /etc/Nginx/ssl/server.key;
access_log /var/log/Nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forward-Port 9090;
# Fix the "It appears that your reverse proxy set up is broken" error.
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1:8080 https://build.pixplicity.com:9090;
#proxy_redirect default;
}
}
listen 443 default ssl http2;
proxy_set_header Host $host:9090;