Why does Jenkins complain that my reverse proxy setup is broken?

I was faced with this issue with Jenkins as a Windows Service Package.

According to their wiki:

Make sure the Jenkins URL configured in the System Configuration matches the URL you're using to access Jenkins.

To reach the System Configuration:

1. Go to your Jenkins page
2. Click Manage Jenkins
3. Click Configure System
4. Scroll to Jenkins Location and find Jenkins URL.

Ensure that port value matches with the port value set in the <arguments> section of the jenkins.xml file located in the Jenkins folder on your machine.

For me, the fix was to add:

RequestHeader set X-Forwarded-Proto "https"RequestHeader set X-Forwarded-Port "443"

This made it stop complaining.

Jenkins has proactive monitoring to make sure forward and reverse proxy is configured correctly. In version 1.552, these tests were improved so that incorrect proxy setups that were previously not flagged as broken are now detected. Starting with version 1.572, even Jenkins instances that do not rely on reverse proxy will display this warning.

Fixing a broken reverse proxy configuration is highly dependent on your web server and web application container, which is why there are so many other answers posted to your question. The Jenkins Wiki article on this topic, "Jenkins says my reverse proxy setup is broken", describes several ways to fix this in the comments.

From the above article:

For a reverse proxy to work correctly, it needs to rewrite both the request and the response.

But correct reverse proxying also involves one of two options, either:

1. rewriting the response; or
2. setting the X-Forwarded-Host (and perhaps X-Forwarded-Port) header on the forwarded request.

In my case, it was actually a problem with the first option, where my response rewriting was not properly encoding slashes. If you are using Apache HTTPD with Tomcat, you need to add support for encoded slashes to both servers, not just Apache HTTPD.

These are the instructions for resolving this problem in my specific case: Jenkins 2.1.41 on an Amazon Linux EC2 instance, with Apache 2.4, Tomcat 8.5 and Tomcat Connector.

In /etc/httpd/conf.d/ssl.conf add the following line for your Jenkins Host or VirtualHost:

AllowEncodedSlashes NoDecode

Add the following line to /usr/share/tomcat8/conf/catalina.properties:

org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true

Restart both services:

service httpd restartservice tomcat8 restart

Refresh your Manage Jenkins page. The warning message will be gone.

An example of implementing the second option in Apache HTTPD:

RequestHeader set X-Forwarded-Proto "https"RequestHeader set X-Forwarded-Port "443"

and for NGINX:

proxy_set_header X-Forwarded-Proto https;proxy_set_header X-Forwarded-Port 443;