配置文件
参考 Running Jenkins behind Nginx 文档,以获取官方对反向代理的详细说明;
下面是配置文件(直接复制自官方,我们并未深入研究):
upstream jenkins { keepalive 32; # keepalive connections server 127.0.0.1:8080; # jenkins ip and port } server { listen 80; # Listen on port 80 for IPv4 requests server_name jenkins.example.com; #this is the jenkins web root directory (mentioned in the /etc/default/jenkins file) root /var/run/jenkins/war/; access_log /var/log/nginx/jenkins/access.log; error_log /var/log/nginx/jenkins/error.log; ignore_invalid_headers off; #pass through headers from Jenkins which are considered invalid by Nginx server. location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" { #rewrite all static files into requests to the root #E.g /static/12345678/css/something.css will become /css/something.css rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last; } location /userContent { #have nginx handle all the static requests to the userContent folder files #note : This is the $JENKINS_HOME dir root /var/lib/jenkins/; if (!-f $request_filename){ #this file does not exist, might be a directory or a /**view** url rewrite (.*) /$1 last; break; } sendfile on; } location / { sendfile off; proxy_pass http://jenkins; proxy_redirect default; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_max_temp_file_size 0; #this is the maximum upload size client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffering off; proxy_request_buffering off; # Required for HTTP CLI commands in Jenkins > 2.54 proxy_set_header Connection ""; # Clear for keepalive } }
常见问题汇总
在反向代理后,出现 HTTP Basic authentication 重复认证
问题描述:
为了提高安全性,使用Nginx反向代理 Jenkins 后,又在 Nginx 中配置了 HTTP Basic Authentication 功能,但是出现了“认证窗口不停弹出”的问题。
关于 HTTP Basic Authentication 的配置参考 Restricting Access with HTTP Basic Authentication 一文。
问题原因:
使用 curl 命令请求(curl --user user:password http://),返回 401 认证失败页面,该页面是 Jenkins 返回的(页面上由 Jetty…… 等内容)。
修改 Jenkins 调试等级并打开访问日志,请求日志中出现了 401 认证失败的请求。
前端 Nginx 将 Authorization 请求头传给 Jenkins 服务,但是 Jenkins 并没有配置认证,而导致认证失败。
但实际上,我们并不需要把 Authorization 头传递给 Jenkins 服务。
解决办法:
修改Nginx配置文件,在转发时移除Authorization头:proxy_set_header Authorization "";
通过置空来移除头部,参考官方文档说明:「Module ngx_http_proxy_module/proxy_set_header」
参考文献
Running Jenkins behind Nginx
Wikipedia/Basic access authentication
Hide a client request header with a Nginx reverse proxy server
How to define the basic HTTP authentication using cURL correctly?