[JENKINS-48089] RFC 7239 Forwarded header breaks redirects #487
Description
Environment
docker-compose.yml
version: '3.3'
services:
jenkins:
image: jenkins/jenkins:2.73.3-alpine
expose:
- '8080'
nginx:
image: nginx:1.13.6-alpine
ports:
- '20080:80'
links:
- jenkins
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
nginx.conf
events {
}
http {
resolver 127.0.0.11 ipv6=off;
server {
listen 80;
location / {
set $jenkins http://jenkins:8080;
proxy_pass $jenkins;
proxy_redirect $jenkins/ /;
proxy_set_header Host $http_host;
proxy_set_header Connection close;
# Forwarded header: https://tools.ietf.org/html/rfc7239
proxy_set_header Forwarded "by=$server_addr:$server_port;for=$remote_addr:$remote_port;host=$http_host:$server_port;proto=$scheme";
# Non standard headers
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
}
}
}
Steps to reproduce
-
docker-compose up ```</li> <li>Open browser to <tt><em><DOCKER_HOST_IP></em>:20080</tt></li> <li>Open browser developer tools / Network trace</li> <li>At prompt, input password as seen in step #1</li> <li>Observe browser error message. In browser network trace, observe redirection with invalid URLServer: nginx/1.13.6
Date: Fri, 17 Nov 2017 16:24:21 GMT
Transfer-Encoding: chunked
Connection: keep-alive
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID.9c89714d=node010jvw2q04kspp1kvf4zgxgpif81.node0;Path=/;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://[localhost:20080]/</ol> <h4><a name="Expected%3A%28Jenkins2.60.3%29"></a>Expected: (Jenkins 2.60.3)</h4>Location: http://localhost:20080/
<h4><a name="Workaround"></a>Workaround</h4> <p>Have reverse-proxy not implement RFC 7239 <tt>Forwarded</tt> header and use non standard headers instead.</p> --- <details><summary><i>Originally reported by <a href="https://issues.jenkins.io/secure/ViewProfile.jspa?name=fchuong">fchuong</a>, imported from: <a class="no-jira-link-rewrite" href="https://issues.jenkins.io/browse/JENKINS-48089" target="_blank">RFC 7239 Forwarded header breaks redirects</a></i></summary> <i><ul> <li><b>status</b>: Open <li><b>priority</b>: Minor <li><b>component(s)</b>: winstone-jetty <li><b>label(s)</b>: reverse-proxy, winstone <li><b>resolution</b>: Unresolved <li><b>votes</b>: 1 <li><b>watchers</b>: 1 <li><b>imported</b>: 2025-11-27 </ul></i> <details><summary>Raw content of original issue</summary> <pre> <h4><a name="Environment"></a>Environment</h4> <p><tt>docker-compose.yml</tt></p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>version: '3.3' services: jenkins: image: jenkins/jenkins:2.73.3-alpine expose: - '8080' nginx: image: nginx:1.13.6-alpine ports: - '20080:80' links: - jenkins volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro </pre> </div></div> <p><tt>nginx.conf</tt></p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>events { } http { resolver 127.0.0.11 ipv6=off; server { listen 80; location / { set $jenkins http://jenkins:8080; proxy_pass $jenkins; proxy_redirect $jenkins/ /; proxy_set_header Host $http_host; proxy_set_header Connection close; # Forwarded header: https://tools.ietf.org/html/rfc7239 proxy_set_header Forwarded "by=$server_addr:$server_port;for=$remote_addr:$remote_port;host=$http_host:$server_port;proto=$scheme"; # Non standard headers proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; } } } </pre> </div></div> <h4><a name="Stepstoreproduce"></a>Steps to reproduce</h4> <ol> <li><div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>docker-compose up</pre> </div></div></li> <li>Open browser to <tt><em><DOCKER_HOST_IP></em>:20080</tt></li> <li>Open browser developer tools / Network trace</li> <li>At prompt, input password as seen in step #1</li> <li>Observe browser error message. In browser network trace, observe redirection with invalid URL <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>Server: nginx/1.13.6 Date: Fri, 17 Nov 2017 16:24:21 GMT Transfer-Encoding: chunked Connection: keep-alive X-Content-Type-Options: nosniff Set-Cookie: JSESSIONID.9c89714d=node010jvw2q04kspp1kvf4zgxgpif81.node0;Path=/;HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: http://[localhost:20080]/</pre> </div></div></li> </ol> <h4><a name="Expected%3A%28Jenkins2.60.3%29"></a>Expected: (Jenkins 2.60.3)</h4> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>Location: http://localhost:20080/ </pre> </div></div> <h4><a name="Workaround"></a>Workaround</h4> <p>Have reverse-proxy not implement RFC 7239 <tt>Forwarded</tt> header and use non standard headers instead.</p></pre> </details> </details> <details><summary><i>environment</i></summary>Docker image jenkins/jenkins:2.73.3-alpine
Docker image nginx:1.13.6-alpine
docker-compose version 1.16.1</details>