{jenkins-plugin-info:reverse-proxy-auth-plugin}

This plugin lets you delegate the authentication to the reverse proxy that you run in front of Jenkins. It also includes Authorisation, which is done via LDAP groups loaded from the HTTP header or LDAP search - based on the username.

This plugin is useful in an environment where you have a reverse proxy, such as Apache, already available and configured to perform necessary user authentication. This reverse proxy must pass the authenticated user name in an HTTP header of a fixed name. With this plugin, Jenkins that run behind it will simply look at this header and use its value as the user name. In the newest release, version 1.3, this plugin also offers Authorisation mechanism. The user can have Role Based Matrix Authorization configured, which will look up into LDAP groups that can be loaded into Jenkins either via HTTP header groups field or LDAP search.

The default values for the HTTP header fields are:

  1. Header User Name: X-Forwarded-User
  2. Header Groups Name: X-Forwarded-Groups
  3. Header Groups Delimiter: |## In case no LDAP server is informed the plugin will try to take the information from the HTTP header. When no header groups information can be retrieved, in case the user wants to do authentication only, and there is no LDAP server configured, the user retrieved from the header will have only Authenticated authority available.

Apache Configuration Example

<VirtualHost *:80>
  ProxyPreserveHost On
  ProxyRequests     Off
  AllowEncodedSlashes NoDecode
  Timeout 5400
  ProxyTimeout 5400		

  <Proxy "*">
    Order deny,allow
    Allow from all
    Authtype BASIC
    AuthName "Please sign in with your Apache user name and password"
    # file created with htpasswd
    AuthUserFile /usr/local/apache2/conf/passwd
    Require valid-user		

    # Remove these header before to set the right value after, it prevent the client from setting this header
    RequestHeader unset "X-Forwarded-User"
    RequestHeader unset "X-Forwarded-Groups"
    # Remove the basic authorization header to avoid to use it in Jenkins
    RequestHeader unset "Authorization"

    # Adds the X-Forwarded-User header that indicates the current user name.
    # this portion came from http://old.nabble.com/Forcing-a-proxied-host-to-generate-REMOTE_USER-td2911573.html#a2914465
    RewriteEngine On		

    # User to use to login in Jenkins
    RequestHeader set "X-Forwarded-User" "%{RU}e"
    # Groups are separated by |
    RequestHeader set "X-Forwarded-Groups" "%{RU}e|users"

    # strip the REALM of Kerberos Login
    # RequestHeader edit X-Forwarded-User "@REALM$" ""

    # see the Apache documentation on why this has to be lookahead
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    # this actually doesn't rewrite anything. what we do here is to set RU to the match above
    # "NS" prevents flooding the error log
    RewriteRule .* - [E=RU:%1,NS]
  </Proxy>

  # send you to the Jenkins instance
  ProxyPass "/jenkins" "http://jenkins.example.com:8282/jenkins" nocanon
  ProxyPassReverse "/jenkins" "http://jenkins.example.com:8282/jenkins"
</virtualhost>

Notes

Jenkins says my reverse proxy setup is broken...

Changelog

Version 1.6.3 (2018, Feb 07)

Version 1.6.2 (2018 January 30)

Version 1.6.1 (2018 January 29)

Version 1.6.0 (2018 January 29)

Version 1.5 (2016 January 22)

For more details, please checked the closed pull requests on Github: https://github.com/jenkinsci/reverse-proxy-auth-plugin/pulls

Version 1.4.0 (2014 May 27)

Version 1.3.3 (2014 March 14)

Version 1.3.2 (2014 March 5)

Version 1.3.1 (2014 January 8)

Version 1.3 (2014 January 7)

Version 1.2 (2013 December 20)

Version 1.0.1 (2013 May 7)

Version 1.0 (2011 March 26)