[JIRA] (JENKINS-52764) Improve crumb compatibility with Azure Application Gateway

3 views
Skip to first unread message

michael@supermathie.net (JIRA)

unread,
Jul 26, 2018, 11:48:03 PM7/26/18
to jenkinsc...@googlegroups.com
Michael Brown created an issue
 
Jenkins / Improvement JENKINS-52764
Improve crumb compatibility with Azure Application Gateway
Issue Type: Improvement Improvement
Assignee: Unassigned
Components: core
Created: 2018-07-27 03:47
Environment: Azure
Priority: Minor Minor
Reporter: Michael Brown

When Jenkins is behind an Azure Application gateway it gets the proper header for the remote user passed to it - a complete header example is below:

POST /job/deploy-job/build?delay=0sec HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, /
Accept-Encoding: gzip, deflate, br
Accept-Language: en-CA,en-GB;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6
Host: build.something
Max-Forwards: 10
Referer: https://build.something/job/deploy-job/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36
Origin: https://build.something
Jenkins-Crumb: 0a6b7215318cfcfea7e8be0bfd7bc1a6
X-Prototype-Version: 1.7
X-Requested-With: XMLHttpRequest
DNT: 1
X-FORWARDED-PROTO: https
X-FORWARDED-PORT: 443
X-ORIGINAL-HOST: build.something
{{SEC-WEBSOCKET-EXTENSIONS: }}
X-Original-URL: /job/deploy-job/build?delay=0sec
X-Forwarded-For: 198.2.2.249:60769
X-ARR-SSL: 2048|256|CN=.something|CN=.something
X-ARR-LOG-ID: a5a03579-302d-494a-a2c5-089d51026283
Content-Length: 0

HOWEVER the remote port is also included:

X-Forwarded-For: 198.2.2.249:60769

and since the remote port changes with every request, the crumbs are never seen as valid.

Jenkins should support stripping the port from the remote IP if present.

I don't know what the Azure Application Gateway does for IPv6 since it doesn't support that yet.

Related to (but not the same as) https://issues.jenkins-ci.org/browse/JENKINS-50767 as this is behind an Application Gateway (L7 proxy) rather than a Load Balancer.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

michael@supermathie.net (JIRA)

unread,
Jul 26, 2018, 11:48:03 PM7/26/18
to jenkinsc...@googlegroups.com
Michael Brown updated an issue
Change By: Michael Brown
When Jenkins is behind an Azure Application gateway it gets the proper header for the remote user passed to it - a complete header example is below:

{{POST /job/deploy-job/build?delay=0sec HTTP/1.1}}
{{Connection: Keep-Alive}}
{{Content-Type: application/x-www-form-urlencoded; charset=UTF-8}}
{{Accept: text/javascript, text/html, application/xml, text/xml, */*}}
{{Accept-Encoding: gzip, deflate, br}}

{{Accept-Language: en-CA,en-GB;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6}}
{{Host: build.something}}
{{Max-Forwards: 10}}
{{Referer: [https://build.something/job/deploy-job/]}}
{{User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36}}
{{Origin: [https://build.something|https://build.something/]}}
{{Jenkins-Crumb: 0a6b7215318cfcfea7e8be0bfd7bc1a6}}

{{X-Prototype-Version: 1.7}}
{{X-Requested-With: XMLHttpRequest}}
{{DNT: 1}}
{{X-FORWARDED-PROTO: https}}
{{X-FORWARDED-PORT: 443}}
{{X-ORIGINAL-HOST: build.something}}
\{{SEC-WEBSOCKET-EXTENSIONS: }}
{{X-Original-URL: /job/deploy-job/build?delay=0sec}}
{{X-Forwarded-For: 198.2.2.249:60769}}
{{X-ARR-SSL: 2048|256|CN= \ *.something|CN= \ *.something}}
{{X-ARR-LOG-ID: a5a03579-302d-494a-a2c5-089d51026283}}

{{Content-Length: 0}}

HOWEVER the remote port is also included:

{{X-Forwarded-For: 198.2.2.249:60769}}

and since the remote port changes with every request, the crumbs are never seen as valid.

Jenkins should support stripping the port from the remote IP if present.

I don't know what the Azure Application Gateway does for IPv6 since it doesn't support that yet.

Related to (but not the same as) https://issues.jenkins-ci.org/browse/JENKINS-50767 as this is behind an Application Gateway (L7 proxy) rather than a Load Balancer.

michael@supermathie.net (JIRA)

unread,
Jul 26, 2018, 11:51:01 PM7/26/18
to jenkinsc...@googlegroups.com
Michael Brown commented on Improvement JENKINS-52764
 
Re: Improve crumb compatibility with Azure Application Gateway

note that I am not 100% sure that removing the port solves the problem since the change I made to get it working was enabling excludeClientIPFromCrumb, but I think that's a reasonable assumption

dbeck@cloudbees.com (JIRA)

unread,
Jul 27, 2018, 11:31:01 AM7/27/18
to jenkinsc...@googlegroups.com

Checking 'proxy compatibility' should make this work already (as the previous comment indicates), so doesn't seem to be a big deal.

michael@supermathie.net (JIRA)

unread,
Jul 30, 2018, 10:21:02 AM7/30/18
to jenkinsc...@googlegroups.com

Yes, it will make this work already, however knowing why something fails is useful, plus using "proxy compatibility" reduces security.

The biggest indication around using the proxy compatibility option is when the XFF header isn't passed to Jenkins, but it is here and that left me to investigate for a lot longer around why it wasn't working when by appearances, it should have been.

mtmargala@gmail.com (JIRA)

unread,
Jun 26, 2019, 9:52:03 PM6/26/19
to jenkinsc...@googlegroups.com

I attempted to enable the 'proxy compatibility' but that didn't seem to work when behind an Azure Application Gateway. Has this been resolved?

Does anyone have any other suggestions?
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)
Reply all
Reply to author
Forward
0 new messages