Jenkins does not redirect to HTTPS

I suggest peeking around the server.xml and finding the Connector and adding secure="true" if you are doing an HTTP proxy scheme. Redirect ports may also be involved.

<Connector secure="true" port="8088" protocol="HTTP/1.1" URIEncoding="UTF-8"           connectionTimeout="20000"            />

For reference,We run Jenkins behind 2 Apache proxies, one external and one internal:

The relevant parts of our external vhost (jenkins.host.com):

    RequestHeader unset Authorization    RequestHeader set Authorization "Basic (encrypted password)"    ProxyPass / ajp://dev.internal:9101/    ProxyPassReverse / ajp://dev.internal:9101/

The relevant parts of tomcat's server.xml:

<Connector port="9001" protocol="HTTP/1.1" URIEncoding="UTF-8"           connectionTimeout="20000"            /><Connector port="9101" protocol="AJP/1.3" URIEncoding="UTF-8"/><Host name="dev.internal" appBase="webapps"        unpackWARs="true" autoDeploy="true">       <Alias>jenkins.host.com</Alias>    <!-- SingleSignOn valve, share authentication between web applications         Documentation at: /docs/config/valve.html -->    <!--    <Valve className="org.apache.catalina.authenticator.SingleSignOn" />    -->    <!-- Access log processes all example.         Documentation at: /docs/config/valve.html         Note: The pattern used is equivalent to using pattern="common" -->    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"           prefix="dev.internal_access_log." suffix=".txt" rotatable="false"           pattern="%h %l %u %t "%r" %s %b" />  </Host>

You may need to restart the Jenkins server for the global configuration change to take effect. Jenkins CI Cookbook says (highlighting mine):

Jenkins uses Xstream (http://x-stream.github.io/) to persist its configuration into a readable XML format. The XML files in the workspace are configuration files for plugins, tasks, and an assortment of other persisted information. config.xml is the main configuration file. Security settings and global configuration are set here and reflect changes made through the GUI. Plugins use the same structure, and the XML values correspond to member values in underlying plugin classes. The GUI itself is created from XML through the Jelly framework (http://commons.apache.org/jelly/).

By restarting the server, you should be certain that any configuration changes are picked up during the initialization phase.

In addition, to make sure that no one ever accesses the Jenkins server over HTTP (e.g., stale links, typing URL manually in the browser, etc.), you can have the loadbalancer rewrite the http:// URLs into https:// URLs.

Edit: an earlier version of this answer incorrectly suggested the following:

Tomcat rewrite the http:// URLs to https:// URLs by using urlrewritefilter as suggested in this answer

which cannot be done because the SSL certificate resides on the loadbalancer which terminates the SSL connection, which means it speaks HTTP to Tomcat, so Tomcat will never see an https:// URL, so this suggestion would have caused an infinite redirect loop. (Keeping this around because otherwise the comments below won't make sense).