Skip to content

Instantly share code, notes, and snippets.

@xelwarto
Created May 25, 2015 11:49
Show Gist options
  • Save xelwarto/ac4f8b43e4194355082c to your computer and use it in GitHub Desktop.
Save xelwarto/ac4f8b43e4194355082c to your computer and use it in GitHub Desktop.
Jenkins CI haproxy configuration example
global
chroot /var/lib/haproxy
crt-base /etc/pki/tls/certs
daemon
group haproxy
log 127.0.0.1 local0
maxconn 2000
pidfile /var/run/haproxy.pid
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
user haproxy
defaults
log global
maxconn 2000
mode http
option redispatch
option forwardfor
option http-server-close
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
frontend jenkins
bind *:443 no-sslv3 ssl crt jenkins-ci.cert
bind *:80
default_backend jenkins-mstr
redirect location https://jenkins.my.domain/ if !{ ssl_fc }
reqadd X-Forwarded-Proto:\ http
backend jenkins-mstr
balance roundrobin
http-request set-header Host 127.0.0.1:8080
reqirep ^([^\ \t:]*:)\ https://jenkins.my.domain/(.*) \1\ http://127.0.0.1:8080/\2
rspirep ^([^\ \t:]*:)\ http://127.0.0.1:8080/(.*) \1\ https://jenkins.my.domain/\2
server jenkins01 127.0.0.1:8080 check
@dmrq70
Copy link

dmrq70 commented Jun 5, 2015

Works great. Thanks.

@mzvast
Copy link

mzvast commented Aug 13, 2016

Thanks a lot! Works great.
I think it would be more scalable to just add the 'X-Forwarded-Proto' in backend,for instance:

backend jenkins_server
    http-request  set-header Host 127.0.0.1:8080
    reqirep  ^([^\ \t:]*:)\ https://my.domain/(.*) \1\ http://127.0.0.1:8080/\2
    reqadd  X-Forwarded-Proto:\ http
    rspirep  ^([^\ \t:]*:)\ http://127.0.0.1:8080/(.*) \1\ https://my.domain/\2
    server local_jenkins 127.0.0.1:8080 check

@styk-tv
Copy link

styk-tv commented Sep 29, 2016

Thanks works great. FYI in AWS you can retrieve public domain name (if auto assigned on subnet) by running:
wget -q -O - http://169.254.169.254/latest/meta-data/public-hostname

@xenoterracide
Copy link

xenoterracide commented Jan 9, 2018

can anyone give any detailed explanation of the whys to this for me? I'm working on doing this same setup but currently I have cloudfront in front of haproxy (because cloudfront can't set X-Forwarded-Proto) (which is only doing http, at this time), and I have jenkins on a different (docker) server than haproxy. So i'm not sure how to translate this config, I don't understand why reqadd X-Forwarded-Proto:\ http instead of https if things are being accessed as https. I don't understand if the server is returning https urls why we need to translate them back to http. Jenkins is mostly working for me, except when I log in, I see hte login form with the nav to the left, instead of the dashboard. I do also get the warning about the proxy not being set up right, but I'm not sure where this is falling down, which thing does this mean is wrong (sadly the jenkins wiki doesn't seem to document the transformations that need to be accomplished and why, but rather exactly what to do with software X that can do them)

What I came up with so far is this

defaults
    mode http
    retries 3
    timeout connect 120s
    timeout client 60s
    timeout server 60s
resolvers docker
    nameserver dns "127.0.0.11:53"
frontend web
    bind *:8080
    default_backend jenkins
backend jenkins
    cookie SERVERID insert indirect nocache
    server jenkins jenkins:8080 check cookie s1 resolvers docker resolve-prefer ipv4
    acl h_cfp_exists req.hdr(CloudFront-Forwarded-Proto) -m found
    acl response-is-redirect res.hdr(Location) -m found
    http-request set-header X-Forwarded-Proto https if h_cfp_exists
    http-response replace-value Location ^http:\/\/(.*)  https://\2  if response-is-redirect```

@MAnasKhalid
Copy link

These configurations dont work in haproxy 2.5 version. Any help?

@persus
Copy link

persus commented May 22, 2022

I would as well appreciate a sample configuration for HAProxy 2.2

@xelwarto
Copy link
Author

@MAnasKhalid and @persus - I appreciate your feedback, however it has been a long while since I have worked with this and if this config is no longer relevant, I may just remove it. I am not sure if I will have the time but I may try to replicate the issue you reported; can you provide details on your setup ... software versions, setup, configurations, etc.

@persus
Copy link

persus commented May 22, 2022

I'm running HAProxy 2.2 on a Debian 11 server as reverse proxy (HA-Proxy version 2.2.9-2+deb11u3 2022/03/10).
Behind it I'm running Jenkins 2.332.3 on another Debian 11 server.
The goal is to get Jenkins accessible via a subdomain (e.g. https://jenkins.example.com).
The SSL-configuraiton is valid since it works for other services quite well.

This is my standard frontend config of HAProxy

frontend https
  # Binds
  bind *:80
  bind *:443 ssl crt /etc/ssl/private/example.com.cert.pem
  redirect scheme https code 301 if !{ ssl_fc }
  # Mode
  mode http
  option http-server-close
  http-request set-header X-Forwarded-For %[src]
  use_backend jenkins_srvc if { hdr(host) -i jenkins.example.com }

And now I'm struggling to get the backend configuration working

Thank you very much in advance

@persus
Copy link

persus commented May 22, 2022

Oh I found it. Here is the proper backend configuration for the frontend configuration I posted above:

backend jenkins_srvc
  option forwardfor
  mode http
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  server cicd01 10.1.1.39:8080 check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment