Apache reverse proxy config with SSL for Jenkins and Sonar

This page on wiki Jenkins mentioned that as per July 2014, the recommended configuration for Jenkins reverse proxy. The missing parameter is RequestHeader set X-Forwarded-Proto "https" and RequestHeader set X-Forwarded-Port "443"

So the configuration became

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/cert.pem
    ServerAdmin  webmaster@localhost
    ProxyRequests     Off
    ProxyPreserveHost On
    AllowEncodedSlashes NoDecode
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    ProxyPass         /  http://localhost:8080/ nocanon
    ProxyPassReverse  /  http://localhost:8080/
    ProxyPassReverse  /  http://www.example.com/
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"
</VirtualHost>

Windows Apache Front-end setup for Jenkins

The main differences here are:

• How to set up a temporary certificate
• stopping apache winging about not having any ssl cache

My setup:

• Install was to d:\ (not c:\ - adapt this to your needs)

• Jenkins is on port 8080

• Unzip Apache httpd-2.4.18-win64-VC14.zip (from http://www.apachelounge.com/download/) to d:\ .

• Install OpenSSL Win64OpenSSL_Light-1_0_2f.exe (http://slproweb.com/products/Win32OpenSSL.html) to d:\OpenSSL-Win64

• Create the ssl certificate:

  • cd to the OpenSSL bin directory and run the magic:

     pushd d:\OpenSSL-Win64\bin
     set OPENSSL_CONF=openssl.cfg
     openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
    

• Copy the server.* files from d:\OpenSSL-Win64\bin to D:\Apache24\conf

• Edit d:\Apache24\conf\httpd.conf :

  • Search and replace "c:/" with "d:/"

  • Change after the line "Listen 80", adding "Listen 443":

    Listen 80
    Listen 443
    

  • Uncomment these lines:

    LoadModule headers_module modules/mod_headers.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule rewrite_module modules/mod_rewrite.so
    LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
    LoadModule ssl_module modules/mod_ssl.so
    LoadModule vhost_alias_module modules/mod_vhost_alias.so
    

  • Update "#ServerName www.example.com:80" to:

    ServerName myserver.mydomain:80
    

  • Add this at the end:

    <IfModule socache_shmcb_module>
    SSLSessionCache "shmcb:logs/ssl_scache(512000)"
    </IfModule>
    
    <VirtualHost *:80>
      ServerName myserver
      Redirect permanent / https://myserver.mydomain/
    </VirtualHost>
    
    <VirtualHost *:80>
      ServerName myserver.mydomain
      Redirect permanent / https://myserver.mydomain/
    </VirtualHost>
    
    <VirtualHost *:443>
                SSLEngine on
                SSLCertificateFile conf/server.crt
                SSLCertificateKeyFile conf/server.key
                ServerAdmin  me@mydomain
                ProxyRequests             Off
                ProxyPreserveHost On
                AllowEncodedSlashes NoDecode
                <Proxy *>
                            Order deny,allow
                            Allow from all
                </Proxy>
                ProxyPass         /  http://localhost:8080/ nocanon
                ProxyPassReverse  /  http://localhost:8080/
                ProxyPassReverse  /  http://myserver.mydomain/
                RequestHeader set X-Forwarded-Proto "https"
                RequestHeader set X-Forwarded-Port "443"
    </VirtualHost>
    

I did not stop Jenkins listening on port 8080, so I can still connect if apache fails. My objective in using https is to hide parameters.