Aeg*_*gis 6 curl reverse-proxy nginx build-server jenkins
我有一个 jenkins 构建器服务器,我正在尝试使用 nginx 设置反向代理。我遵循了 jenkins 站点上的所有操作方法和文档,但唯一不同的是我需要可以在不同端口上访问服务器,然后是标准 https 端口。
必须可以访问https://jenkins.example.com:9090现在正在运行的服务器,但我仍然遇到一些问题。在管理詹金斯我不断收到消息
您的反向代理设置似乎已损坏
此外,当我登录或应用或保存一些配置更改时,我不断被重定向到https://jenkins.example.com没有端口号。
当我检查 curl 并查看某些页面的标题时,它会不断将位置标题设置为正确的 url 但没有端口号。
我在nginx中有以下配置
server {
listen 443 ssl spdy;
server_name jenkins.example.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header X-Frame-Options "DENY";
ssl on;
ssl_certificate /etc/nginx/ssl/server.chain.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-$
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
resolver 8.8.8.8;
ssl_stapling on;
ssl_trusted_certificate /etc/nginx/ssl/server.crt;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the "It appears that your reverse proxy set up is broken" error.
proxy_pass http://127.0.0.1:8080/;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1:8080 https://jenkins.example.com:9090;
}
}
在我添加的 jenkins 的默认配置中--httpListenAddress=127.0.0.1,在管理 Jenkins --> 配置系统中,我已将带有端口号的正确 url 添加https://jenkins.example.com:9090/到 Jenkins 位置。
这些是我使用 curl 检查它们时的标题。
curl -I https://jenkins.example.com:9090/scriptApproval
HTTP/1.1 302 Found
Server: nginx/1.9.4
Date: Thu, 24 Sep 2015 13:17:56 GMT
Content-Length: 0
Connection: keep-alive
X-Content-Type-Options: nosniff
Location: https://jenkin.example.com/scriptApproval/
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: DENY
更新 1
添加proxy_set_header X-Forwarded-Port 9090;到 nginx 配置时,这似乎修复It appears that your reverse proxy set up is broken了设置页面上的错误。
更新 2
也许它与尾部斜杠有关。当我https://build.example.com:9090/pluginManager/用 curl调用时,我得到了 jenkins 的 403 Forbidden repsonse 但是当https://build.example.com:9090/pluginManager没有尾部斜杠的调用时,我得到了一个 302 Found 响应,位置标头设置为https://build.example.com/pluginManager/
更新 3
该服务器连接在共享互联网上,连接到更多运行在我无法控制的服务器上。它唯一运行的 Jenkins CI 和 nginx 应该是反向代理。路由器上的 WAN 端口列出端口 9090,该端口转发到端口 443 上的服务器,该端口应该是 Nginx,它将所有内容代理到侦听端口 8080 的 Jenkins-CI。
更新 4
这是我尝试过的当前配置。这似乎也不起作用。
upstream jenkins {
server 127.0.0.1:8080 fail_timeout=0;
}
server {
listen 9090 default ssl http2;
server_name build.pixplicity.com;
ssl on;
ssl_certificate /etc/nginx/ssl/server.chain.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
access_log /var/log/nginx/jenkins.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forward-Port 9090;
# Fix the "It appears that your reverse proxy set up is broken" error.
proxy_pass http://127.0.0.1:8080;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1:8080 https://build.pixplicity.com:9090;
#proxy_redirect default;
}
}
更新Update 4配置中的以下几行:
listen 443 default ssl http2;
proxy_set_header Host $host:9090;