Jenkins:如何在 Nginx 反向代理后面配置 Jenkins 让 JNLP 从站连接 [英] Jenkins: How to configure Jenkins behind Nginx reverse proxy for JNLP slaves to connect

问题描述

我正在尝试设置一个 Jenkins 主节点和一个 Jenkins 从节点，其中 Jenkins 主节点位于具有 SSL 终止的不同服务器上的 Nginx 反向代理之后.nginx配置如下:

I am trying to set up a Jenkins master and a Jenkins slave node where the Jenkins Master is behind Nginx reverse proxy on a different server with SSL termination. The nginx configuration is as following:

upstream jenkins {
  server <server ip>:8080 fail_timeout=0;
}

server {
  listen 443 ssl;
  server_name jenkins.mydomain.com;
  ssl_certificate /etc/nginx/certs/mydomain.crt;
  ssl_certificate_key /etc/nginx/certs/mydomain.key;

  location / {
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect          http:// https://;
    proxy_pass              http://jenkins;
  }
}

server {
  listen 80;
  server_name jenkins.mydomain.com;
  return 301 https://$server_name$request_uri;
}

JNLP 代理的 TCP 端口在 Jenkins 主全局安全配置中设置为 50000.端口 50000 设置为可从主机上的任何位置访问.

The TCP port for JNLP agents is set as 50000 in Jenkins master Global Security configuration. Port 50000 is set to be accessible from anywhere on the host machine.

使用以下命令启动 JNLP 从站:

The JNLP slave is launched with the following command:

java -jar slave.jar -jnlpUrl https://jenkins.mydomain.com/computer/slave-1/slave-agent.jnlp -secret <secret>

JNLP 从站无法连接到主站上配置的 JNLP 端口:

The JNLP slave fails to connect to the configured JNLP port on the master:

INFO: Connecting to jenkins.mydomain.com:50000 (retrying:4)
java.net.ConnectException: Connection timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at java.net.Socket.connect(Socket.java:538)
        at hudson.remoting.Engine.connect(Engine.java:400)
        at hudson.remoting.Engine.run(Engine.java:298)

JNLP slave 连接 Jenkins master 需要什么配置?

What is the configuration required for the JNLP slave to connect to the Jenkins master?

推荐答案

JNLP 端口似乎使用的是二进制协议，而不是基于文本的 HTTP 协议，所以很遗憾它不能像正常一样通过 NGINX 进行反向代理Jenkins 页面可以.

The JNLP port seems to use a binary protocol, not a text-based HTTP protocol, so unfortunately it can't be reverse-proxied through NGINX like the normal Jenkins pages can be.

相反，您应该:

1. 配置全局安全性 > 选中启用安全性"并设置固定JNLP 从属代理的 TCP 端口".这将导致所有 Jenkins 页面发出指定此端口的额外 HTTP 标头:X-Hudson-CLI-Port，X-Jenkins-CLI-Port、X-Jenkins-CLI2-Port.

1. Configure Global Security > Check "Enable security" and set a Fixed "TCP port for JNLP slave agents". This will cause all Jenkins pages to emit extra HTTP headers specifying this port: X-Hudson-CLI-Port, X-Jenkins-CLI-Port, X-Jenkins-CLI2-Port.

允许你的固定 TCP JNLP端口通过任何防火墙，以便 CLI 客户端和 JNLP 代理可以直接到达后端的Jenkins服务器.

Allow your fixed TCP JNLP port through any firewall(s) so CLI clients and JNLP agents can directly reach the Jenkins server on the backend.

将系统属性 hudson.TcpSlaveAgentListener.hostName 设置为后端 Jenkins 服务器的主机名或 IP 地址.这将导致所有页面发出额外的 HTTP 标头(X-Jenkins-CLI-Host) 包含这个指定的主机名.这告诉CLI 客户端连接到哪里，但应该不是 JNLP 代理.

Set the system property hudson.TcpSlaveAgentListener.hostName to the hostname or IP address of your Jenkins server on the backend. This will cause all pages to emit an extra HTTP header (X-Jenkins-CLI-Host) containing this specified hostname. This tells CLI clients where to connect, but supposedly not JNLP agents.

对于您在节点列表中的每个构建从机jenkins.mydomain.com/computer/ 使用Launch方法Launch slave agent via Java Web Start"，点击计算机，点击Configure，点击Launch下右侧的Advanced...按钮方法，并适当设置隧道连接通过"字段.阅读问号帮助.您可能只需要HOST:"语法，其中 HOST 是后端 Jenkins 服务器的主机名或 IP 地址.

For each of your build slave machines in the list of nodes at jenkins.mydomain.com/computer/ that uses the Launch method "Launch slave agents via Java Web Start", click the computer, click Configure, click the Advanced... button on the right side under Launch method, and set the "Tunnel connection through" field appropriately. Read the question mark help. You probably just need the "HOST:" syntax, where HOST is the hostname or IP address of your Jenkins server on the backend.

参考文献:

• https://issues.jenkins-ci.org/browse/JENKINS-11982
• https://support.cloudbees.com/hc/en-us/articles/218097237-How-to-troubleshoot-JNLP-slaves-connection-issues-with-Jenkins
• https://wiki.jenkins-ci.org/display/JENKINS/詹金斯+CLI

这篇关于Jenkins:如何在 Nginx 反向代理后面配置 Jenkins 让 JNLP 从站连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！