如何为 Jenkins 设置 Cloudfront 后面的 HAProxy

tag-icon tag-icon reverse-proxy http haproxy jenkins amazon-cloudfront
如何为 Jenkins 设置 Cloudfront 后面的 HAProxy

好的,到目前为止网络是

end user (https)-> cloudfront (http)-> haproxy (http)-> jenkins

我的 jenkins 安装基本正常,但我看到有关代理设置不正确的错误,并且我遇到了https://issues.jenkins-ci.org/browse/JENKINS-14313

我读过下面的内容,但遇到了一些令人困惑的问题。

  1. https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+HAProxy
  2. https://gist.github.com/xelwarto/ac4f8b43e4194355082c

这是我目前想到的

defaults
    mode http
    retries 3
    timeout connect 120s
    timeout client 60s
    timeout server 60s
resolvers docker
    nameserver dns "127.0.0.11:53"
frontend web
    bind *:8080
    default_backend jenkins
backend jenkins
    cookie SERVERID insert indirect nocache
    server jenkins jenkins:8080 check cookie s1 resolvers docker resolve-prefer ipv4
    acl h_cfp_exists req.hdr(CloudFront-Forwarded-Proto) -m found
    acl response-is-redirect res.hdr(Location) -m found
    http-request set-header X-Forwarded-Proto https if h_cfp_exists

以下是詹金斯收到的标头(标头的域和安全字符串已被破坏,但斜杠和名称被保留)

    POST /j_acegi_security_check HTTP/1.1
    Host: jenkins.default.mydomain.tld
    X-Amz-Cf-Id: _UoBjzMmiJvkMZOnRbt6Ai2rBZ4hm1jAz_5IGAi3OwI9TxQ5tCW5Bg==
    Content-Length: 339
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36 OPR/49.0.2725.64
    Via: 2.0 9a063989aee4dbd9381a2cf612c17c08.cloudfront.net (CloudFront)
    Cookie: JSESSIONID.0262fa7d=node01f8yc6mw0a5p6gv09wvy275j610.node0; JSESSIONID.9f7e10bd=node01i3tan71bopiv2ufhmos5dccq83.node0; JSESSIONID.d3f1b83b=node0nqkbin0vx70f12cdr9kmgatyk6.node0
    X-Forwarded-For: 2605:6000:1025:bd:31c7:df4d:6bd6:8b9c
    CloudFront-Is-Mobile-Viewer: false
    CloudFront-Is-Tablet-Viewer: false
    CloudFront-Is-SmartTV-Viewer: false
    CloudFront-Is-Desktop-Viewer: true
    CloudFront-Viewer-Country: US
    Accept-Language: en-US,en;q=0.9
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
    Referer: https://jenkins.default.mydomain.tld/
    CloudFront-Forwarded-Proto: https
    Accept-Encoding: gzip, deflate, br
    cache-control: max-age=0
    origin: https://jenkins.default.mydomain.tld
    upgrade-insecure-requests: 1
    content-type: application/x-www-form-urlencoded
    X-Forwarded-Proto: https

以及浏览器收到的响应

content-length:0
date:Wed, 10 Jan 2018 15:45:21 GMT
expires:Thu, 01 Jan 1970 00:00:00 GMT
location:https://jenkins.default.mydomain.tld/
server:Jetty(9.4.z-SNAPSHOT)
set-cookie:JSESSIONID.d3f1b83b=node01o.node0;Path=/;Secure;HttpOnly
set-cookie:ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE=Y2N1c2hpbmc6MTUxNjgwODcyMTQ5OTpmMmIzNDVkYjE2ODdhRlMGJmNWYz;Path=/;Expires=Wed, 24-Jan-2018 15:45:21 GMT;Max-Age=1209600;Secure;HttpOnly
status:302
via:1.1 6d16d2818.cloudfront.net (CloudFront)
x-amz-cf-id:WZMDdUGVK4fRg6E04gN2sr9RIgKDqeK0-kAANBbeu7eB3uFv9cAkQw==
x-cache:Miss from cloudfront
x-content-type-options:nosniff

然后我看到了后续内容GET /login HTTP/1.1,但我不明白它为什么要这样做。同样可能有趣的是,在配置全局变量中没有设置默认视图,事实上,该配置似乎不存在。通过 http 访问,通过 haproxy 一切正常警告仍然显示,似乎我可以通过设置 jenkins uri 来解决这个问题http://IP:端口

我该如何修复我的 haproxy 设置,使得 jenkins login 不会在仪表板应该出现的位置显示登录表单?有人能以与代理技术无关的方式解释需要进行的转换以及原因吗(例如,示例似乎显示 127.0.0.1:8080,但 htat 显然不适合我,但是由于 Location 返回的是 https,我不确定为什么我需要做这样的事情)?

相关内容