Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Jenkins CI haproxy configuration example
global
chroot /var/lib/haproxy
crt-base /etc/pki/tls/certs
daemon
group haproxy
log 127.0.0.1 local0
maxconn 2000
pidfile /var/run/haproxy.pid
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
user haproxy
defaults
log global
maxconn 2000
mode http
option redispatch
option forwardfor
option http-server-close
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
frontend jenkins
bind *:443 no-sslv3 ssl crt jenkins-ci.cert
bind *:80
default_backend jenkins-mstr
redirect location https://jenkins.my.domain/ if !{ ssl_fc }
reqadd X-Forwarded-Proto:\ http
backend jenkins-mstr
balance roundrobin
http-request set-header Host 127.0.0.1:8080
reqirep ^([^\ \t:]*:)\ https://jenkins.my.domain/(.*) \1\ http://127.0.0.1:8080/\2
rspirep ^([^\ \t:]*:)\ http://127.0.0.1:8080/(.*) \1\ https://jenkins.my.domain/\2
server jenkins01 127.0.0.1:8080 check
@xelwarto

This comment has been minimized.

Copy link
Owner Author

xelwarto commented May 25, 2015

There are many examples of how to use Apache as a reverse proxy for Jenkins though examples of using haproxy are limited and not complete ... this is a configuration for haproxy that works well with Jeninks.

This haproxy configuration fixes proxy issues reported in Jenkins setup: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+says+my+reverse+proxy+setup+is+broken

@dmrq70

This comment has been minimized.

Copy link

dmrq70 commented Jun 5, 2015

Works great. Thanks.

@mzvast

This comment has been minimized.

Copy link

mzvast commented Aug 13, 2016

Thanks a lot! Works great.
I think it would be more scalable to just add the 'X-Forwarded-Proto' in backend,for instance:

backend jenkins_server
    http-request  set-header Host 127.0.0.1:8080
    reqirep  ^([^\ \t:]*:)\ https://my.domain/(.*) \1\ http://127.0.0.1:8080/\2
    reqadd  X-Forwarded-Proto:\ http
    rspirep  ^([^\ \t:]*:)\ http://127.0.0.1:8080/(.*) \1\ https://my.domain/\2
    server local_jenkins 127.0.0.1:8080 check
@styk-tv

This comment has been minimized.

Copy link

styk-tv commented Sep 29, 2016

Thanks works great. FYI in AWS you can retrieve public domain name (if auto assigned on subnet) by running:
wget -q -O - http://169.254.169.254/latest/meta-data/public-hostname

@xenoterracide

This comment has been minimized.

Copy link

xenoterracide commented Jan 9, 2018

can anyone give any detailed explanation of the whys to this for me? I'm working on doing this same setup but currently I have cloudfront in front of haproxy (because cloudfront can't set X-Forwarded-Proto) (which is only doing http, at this time), and I have jenkins on a different (docker) server than haproxy. So i'm not sure how to translate this config, I don't understand why reqadd X-Forwarded-Proto:\ http instead of https if things are being accessed as https. I don't understand if the server is returning https urls why we need to translate them back to http. Jenkins is mostly working for me, except when I log in, I see hte login form with the nav to the left, instead of the dashboard. I do also get the warning about the proxy not being set up right, but I'm not sure where this is falling down, which thing does this mean is wrong (sadly the jenkins wiki doesn't seem to document the transformations that need to be accomplished and why, but rather exactly what to do with software X that can do them)

What I came up with so far is this

defaults
    mode http
    retries 3
    timeout connect 120s
    timeout client 60s
    timeout server 60s
resolvers docker
    nameserver dns "127.0.0.11:53"
frontend web
    bind *:8080
    default_backend jenkins
backend jenkins
    cookie SERVERID insert indirect nocache
    server jenkins jenkins:8080 check cookie s1 resolvers docker resolve-prefer ipv4
    acl h_cfp_exists req.hdr(CloudFront-Forwarded-Proto) -m found
    acl response-is-redirect res.hdr(Location) -m found
    http-request set-header X-Forwarded-Proto https if h_cfp_exists
    http-response replace-value Location ^http:\/\/(.*)  https://\2  if response-is-redirect```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.