[JENKINS-52764] Improve crumb compatibility with Azure Application Gateway

[timja]

When Jenkins is behind an Azure Application gateway it gets the proper header for the remote user passed to it - a complete header example is below:

POST /job/deploy-job/build?delay=0sec HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, /
Accept-Encoding: gzip, deflate, br
Accept-Language: en-CA,en-GB;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6
Host: build.something
Max-Forwards: 10
Referer: https://build.something/job/deploy-job/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36
Origin: https://build.something
Jenkins-Crumb: 0a6b7215318cfcfea7e8be0bfd7bc1a6
X-Prototype-Version: 1.7
X-Requested-With: XMLHttpRequest
DNT: 1
X-FORWARDED-PROTO: https
X-FORWARDED-PORT: 443
X-ORIGINAL-HOST: build.something
{{SEC-WEBSOCKET-EXTENSIONS: }}
X-Original-URL: /job/deploy-job/build?delay=0sec
X-Forwarded-For: 198.2.2.249:60769
X-ARR-SSL: 2048|256|CN=*.something|CN=*.something
X-ARR-LOG-ID: a5a03579-302d-494a-a2c5-089d51026283
Content-Length: 0

HOWEVER the remote port is also included:

X-Forwarded-For: 198.2.2.249:60769

and since the remote port changes with every request, the crumbs are never seen as valid.

Jenkins should support stripping the port from the remote IP if present.

I don't know what the Azure Application Gateway does for IPv6 since it doesn't support that yet.

Related to (but not the same as) https://issues.jenkins-ci.org/browse/JENKINS-50767 as this is behind an Application Gateway (L7 proxy) rather than a Load Balancer.

---

Originally reported by supermathie, imported from: Improve crumb compatibility with Azure Application Gateway

• status: Open
• priority: Minor
• resolution: Unresolved
• imported: 2022/01/10

[timja]

supermathie:

note that I am not 100% sure that removing the port solves the problem since the change I made to get it working was enabling excludeClientIPFromCrumb, but I think that's a reasonable assumption

[timja]

danielbeck:

Checking 'proxy compatibility' should make this work already (as the previous comment indicates), so doesn't seem to be a big deal.

[timja]

supermathie:

Yes, it will make this work already, however knowing why something fails is useful, plus using "proxy compatibility" reduces security.

The biggest indication around using the proxy compatibility option is when the XFF header isn't passed to Jenkins, but it is here and that left me to investigate for a lot longer around why it wasn't working when by appearances, it should have been.

[timja]

mtmargala:

I attempted to enable the 'proxy compatibility' but that didn't seem to work when behind an Azure Application Gateway. Has this been resolved?

Does anyone have any other suggestions?