Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Jenkins CI haproxy configuration example
chroot /var/lib/haproxy
crt-base /etc/pki/tls/certs
group haproxy
log local0
maxconn 2000
pidfile /var/run/
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
user haproxy
log global
maxconn 2000
mode http
option redispatch
option forwardfor
option http-server-close
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
frontend jenkins
bind *:443 no-sslv3 ssl crt jenkins-ci.cert
bind *:80
default_backend jenkins-mstr
redirect location if !{ ssl_fc }
reqadd X-Forwarded-Proto:\ http
backend jenkins-mstr
balance roundrobin
http-request set-header Host
reqirep ^([^\ \t:]*:)\*) \1\\2
rspirep ^([^\ \t:]*:)\*) \1\\2
server jenkins01 check
Copy link

xelwarto commented May 25, 2015

There are many examples of how to use Apache as a reverse proxy for Jenkins though examples of using haproxy are limited and not complete ... this is a configuration for haproxy that works well with Jeninks.

This haproxy configuration fixes proxy issues reported in Jenkins setup:

Copy link

dmrq70 commented Jun 5, 2015

Works great. Thanks.

Copy link

mzvast commented Aug 13, 2016

Thanks a lot! Works great.
I think it would be more scalable to just add the 'X-Forwarded-Proto' in backend,for instance:

backend jenkins_server
    http-request  set-header Host
    reqirep  ^([^\ \t:]*:)\ https://my.domain/(.*) \1\\2
    reqadd  X-Forwarded-Proto:\ http
    rspirep  ^([^\ \t:]*:)\*) \1\ https://my.domain/\2
    server local_jenkins check

Copy link

styk-tv commented Sep 29, 2016

Thanks works great. FYI in AWS you can retrieve public domain name (if auto assigned on subnet) by running:
wget -q -O -

Copy link

xenoterracide commented Jan 9, 2018

can anyone give any detailed explanation of the whys to this for me? I'm working on doing this same setup but currently I have cloudfront in front of haproxy (because cloudfront can't set X-Forwarded-Proto) (which is only doing http, at this time), and I have jenkins on a different (docker) server than haproxy. So i'm not sure how to translate this config, I don't understand why reqadd X-Forwarded-Proto:\ http instead of https if things are being accessed as https. I don't understand if the server is returning https urls why we need to translate them back to http. Jenkins is mostly working for me, except when I log in, I see hte login form with the nav to the left, instead of the dashboard. I do also get the warning about the proxy not being set up right, but I'm not sure where this is falling down, which thing does this mean is wrong (sadly the jenkins wiki doesn't seem to document the transformations that need to be accomplished and why, but rather exactly what to do with software X that can do them)

What I came up with so far is this

    mode http
    retries 3
    timeout connect 120s
    timeout client 60s
    timeout server 60s
resolvers docker
    nameserver dns ""
frontend web
    bind *:8080
    default_backend jenkins
backend jenkins
    cookie SERVERID insert indirect nocache
    server jenkins jenkins:8080 check cookie s1 resolvers docker resolve-prefer ipv4
    acl h_cfp_exists req.hdr(CloudFront-Forwarded-Proto) -m found
    acl response-is-redirect res.hdr(Location) -m found
    http-request set-header X-Forwarded-Proto https if h_cfp_exists
    http-response replace-value Location ^http:\/\/(.*)  https://\2  if response-is-redirect```

Copy link

MAnasKhalid commented May 13, 2022

These configurations dont work in haproxy 2.5 version. Any help?

Copy link

persus commented May 22, 2022

I would as well appreciate a sample configuration for HAProxy 2.2

Copy link

xelwarto commented May 22, 2022

@MAnasKhalid and @persus - I appreciate your feedback, however it has been a long while since I have worked with this and if this config is no longer relevant, I may just remove it. I am not sure if I will have the time but I may try to replicate the issue you reported; can you provide details on your setup ... software versions, setup, configurations, etc.

Copy link

persus commented May 22, 2022

I'm running HAProxy 2.2 on a Debian 11 server as reverse proxy (HA-Proxy version 2.2.9-2+deb11u3 2022/03/10).
Behind it I'm running Jenkins 2.332.3 on another Debian 11 server.
The goal is to get Jenkins accessible via a subdomain (e.g.
The SSL-configuraiton is valid since it works for other services quite well.

This is my standard frontend config of HAProxy

frontend https
  # Binds
  bind *:80
  bind *:443 ssl crt /etc/ssl/private/
  redirect scheme https code 301 if !{ ssl_fc }
  # Mode
  mode http
  option http-server-close
  http-request set-header X-Forwarded-For %[src]
  use_backend jenkins_srvc if { hdr(host) -i }

And now I'm struggling to get the backend configuration working

Thank you very much in advance

Copy link

persus commented May 22, 2022

Oh I found it. Here is the proper backend configuration for the frontend configuration I posted above:

backend jenkins_srvc
  option forwardfor
  mode http
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  server cicd01 check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment