Jenkins CI haproxy configuration example

jenkins_haproxy_config.cfg

global
  chroot  /var/lib/haproxy
  crt-base  /etc/pki/tls/certs
  daemon  
  group  haproxy
  log  127.0.0.1 local0
  maxconn  2000
  pidfile  /var/run/haproxy.pid
  stats  socket /var/lib/haproxy/stats
  tune.ssl.default-dh-param  2048
  user  haproxy

defaults
  log  global
  maxconn  2000
  mode  http
  option  redispatch
  option  forwardfor
  option  http-server-close
  retries  3
  timeout  http-request 10s
  timeout  queue 1m
  timeout  connect 10s
  timeout  client 1m
  timeout  server 1m
  timeout  check 10s

frontend jenkins
  bind *:443 no-sslv3 ssl crt jenkins-ci.cert
  bind *:80 
  default_backend  jenkins-mstr
  redirect  location https://jenkins.my.domain/ if !{ ssl_fc }
  reqadd  X-Forwarded-Proto:\ http

backend jenkins-mstr
  balance  roundrobin
  http-request  set-header Host 127.0.0.1:8080
  reqirep  ^([^\ \t:]*:)\ https://jenkins.my.domain/(.*) \1\ http://127.0.0.1:8080/\2
  rspirep  ^([^\ \t:]*:)\ http://127.0.0.1:8080/(.*) \1\ https://jenkins.my.domain/\2
  server jenkins01 127.0.0.1:8080 check

Thanks a lot! Works great.
I think it would be more scalable to just add the 'X-Forwarded-Proto' in backend,for instance:

backend jenkins_server
    http-request  set-header Host 127.0.0.1:8080
    reqirep  ^([^\ \t:]*:)\ https://my.domain/(.*) \1\ http://127.0.0.1:8080/\2
    reqadd  X-Forwarded-Proto:\ http
    rspirep  ^([^\ \t:]*:)\ http://127.0.0.1:8080/(.*) \1\ https://my.domain/\2
    server local_jenkins 127.0.0.1:8080 check

Thanks works great. FYI in AWS you can retrieve public domain name (if auto assigned on subnet) by running:
wget -q -O - http://169.254.169.254/latest/meta-data/public-hostname

can anyone give any detailed explanation of the whys to this for me? I'm working on doing this same setup but currently I have cloudfront in front of haproxy (because cloudfront can't set X-Forwarded-Proto) (which is only doing http, at this time), and I have jenkins on a different (docker) server than haproxy. So i'm not sure how to translate this config, I don't understand why reqadd X-Forwarded-Proto:\ http instead of https if things are being accessed as https. I don't understand if the server is returning https urls why we need to translate them back to http. Jenkins is mostly working for me, except when I log in, I see hte login form with the nav to the left, instead of the dashboard. I do also get the warning about the proxy not being set up right, but I'm not sure where this is falling down, which thing does this mean is wrong (sadly the jenkins wiki doesn't seem to document the transformations that need to be accomplished and why, but rather exactly what to do with software X that can do them)

What I came up with so far is this

defaults
    mode http
    retries 3
    timeout connect 120s
    timeout client 60s
    timeout server 60s
resolvers docker
    nameserver dns "127.0.0.11:53"
frontend web
    bind *:8080
    default_backend jenkins
backend jenkins
    cookie SERVERID insert indirect nocache
    server jenkins jenkins:8080 check cookie s1 resolvers docker resolve-prefer ipv4
    acl h_cfp_exists req.hdr(CloudFront-Forwarded-Proto) -m found
    acl response-is-redirect res.hdr(Location) -m found
    http-request set-header X-Forwarded-Proto https if h_cfp_exists
    http-response replace-value Location ^http:\/\/(.*)  https://\2  if response-is-redirect```

These configurations dont work in haproxy 2.5 version. Any help?

I would as well appreciate a sample configuration for HAProxy 2.2

@MAnasKhalid and @persus - I appreciate your feedback, however it has been a long while since I have worked with this and if this config is no longer relevant, I may just remove it. I am not sure if I will have the time but I may try to replicate the issue you reported; can you provide details on your setup ... software versions, setup, configurations, etc.

I'm running HAProxy 2.2 on a Debian 11 server as reverse proxy (HA-Proxy version 2.2.9-2+deb11u3 2022/03/10).
Behind it I'm running Jenkins 2.332.3 on another Debian 11 server.
The goal is to get Jenkins accessible via a subdomain (e.g. https://jenkins.example.com).
The SSL-configuraiton is valid since it works for other services quite well.

This is my standard frontend config of HAProxy

frontend https
  # Binds
  bind *:80
  bind *:443 ssl crt /etc/ssl/private/example.com.cert.pem
  redirect scheme https code 301 if !{ ssl_fc }
  # Mode
  mode http
  option http-server-close
  http-request set-header X-Forwarded-For %[src]
  use_backend jenkins_srvc if { hdr(host) -i jenkins.example.com }

And now I'm struggling to get the backend configuration working

Thank you very much in advance

Oh I found it. Here is the proper backend configuration for the frontend configuration I posted above:

backend jenkins_srvc
  option forwardfor
  mode http
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Host %[req.hdr(Host)]
  server cicd01 10.1.1.39:8080 check