That was it! Adding proxy_buffering off helped.
For reference, here is my SSL vhost definition:
server {
listen 443 ssl;
server_name jenkins.my-domain;
ssl_certificate ssl/my-domain.crt;
ssl_certificate_key ssl/my-domain.key;
ssl_dhparam ssl/dhparam-2048.pem;
add_header Strict-Transport-Security "max-age=31536000;
includeSubDomains";
add_header X-Frame-Options SAMEORIGIN;
access_log /var/log/nginx/jenkins.my-domain.access.log;
error_log /var/log/nginx/jenkins.my-domain.error.log;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://jenkins;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off;
# workaround for
https://issues.jenkins-ci.org/browse/JENKINS-45651
# not used for this installation
#add_header 'X-SSH-Endpoint' 'jenkins.my-domain:22' always;
}
}
On Friday, October 27, 2017 at 6:56:55 AM UTC+9, Devin Nusbaum wrote:
>
> Some comments on https://issues.jenkins-ci.org/browse/JENKINS-43666 suggest
> that proxy_buffering off; is needed for SSL connections. (I was also
> testing nginx reverse proxies in the past and have that setting in my SSL
> config; might have forgotten to update the SSL docs with my findings) Try
> setting that option, and if it works I can update the SSL section of the
> wiki page.
>
> On Oct 26, 2017, at 5:43 PM, 'Tomasz Chmielewski' via Jenkins Users <
> jenkins...@googlegroups.com <javascript:>> wrote:
>
> nginx vhost is almost the exact copy of the vhost on
> https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy:
>
> upstream jenkins {
> server 127.0.0.1:8080 fail_timeout=0;
> }
>
> server {
>
> listen 80;
> server_name jenkins.my-domain;
>
> add_header X-Frame-Options SAMEORIGIN;
> include /etc/nginx/release.conf;
>
> access_log /var/log/nginx/redirects-access.log vhosts;
> error_log /var/log/nginx/redirects-error.log;
>
> rewrite ^ https://$host$request_uri? permanent;
> }
>
>
> server {
>
> listen 443 ssl;
>
> server_name jenkins.my-domain;
>
> ssl_certificate ssl/my-domain.crt;
> ssl_certificate_key ssl/my-domain.key;
> ssl_dhparam ssl/dhparam-2048.pem;
> add_header Strict-Transport-Security "max-age=31536000;
> includeSubDomains";
> add_header X-Frame-Options SAMEORIGIN;
>
> access_log /var/log/nginx/jenkins.my-domain.access.log;
> error_log /var/log/nginx/jenkins.my-domain.error.log;
>
> location / {
> proxy_set_header Host $host:$server_port;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto $scheme;
> proxy_redirect http:// https://;
> proxy_pass http://jenkins;
> # Required for new HTTP-based CLI
> proxy_http_version 1.1;
> proxy_request_buffering off;
> # workaround for
> https://issues.jenkins-ci.org/browse/JENKINS-45651
> add_header 'X-SSH-Endpoint' 'jenkins.my-domain:22' always;
> }
> }
>
>
> So either I'm blind, or the documentation is somehow wrong?
>
> And indeed, I can see "java.io.IOException: HTTP full-duplex channel
> timeout" in jenkins log.
>
> This one indeed works:
>
> java -jar jenkins-cli.jar -s http://localhost:8080 <https://jenkins-url/>
> -auth
> user:pass help offline-node
>
> But since I need to execute it from remote, I'd rather connect to
> https://jenkins.my-domain
>
>
> On Friday, October 27, 2017 at 6:26:39 AM UTC+9, Devin Nusbaum wrote:
>>
>> Make sure to follow
>> https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Nginx if
>> Nginx is configured as a a reverse proxy.
>>
>> Notably proxy_http_version 1.1; and proxy_request_buffering off; are
>> required for your version of Jenkins. (If your Jenkins logs at the time you
>> try to connect via CLI have errors that say something to the effect
>> of “Full-duplex channel timeout” then I expect those settings to fix it.)
>>
>> On Oct 26, 2017, at 5:18 PM, 'Tomasz Chmielewski' via Jenkins Users <
>> jenkins...@googlegroups. <http://googlegroups.com/>com
>> <http://googlegroups.com/>> wrote:
>>
>> Except... it doesn't seem to work.
>>
>> $ java -jar jenkins-cli.jar -s https://jenkins-url -auth user:pass help
>> offline-node
>> $ echo $?
>> 255
>>
>> In nginx log:
>>
>> 10.11.0.8 - user [26/Oct/2017:21:11:51 +0000] "GET / HTTP/1.1" 200 150393
>> "-" "Java/1.8.0_131"
>> 10.11.0.8 - user [26/Oct/2017:21:11:52 +0000] "GET
>> /crumbIssuer/api/xml/?xpath=concat(//crumbRequestField,\x22:\x22,//crumb)
>> HTTP/1.1" 404 335 "-" "Java/1.8.0_131"
>> 10.11.0.8 - user [26/Oct/2017:21:12:07 +0000] "POST /cli?remoting=false
>> HTTP/1.1" 200 11 "-" "Java/1.8.0_131"
>> 10.11.0.8 - user [26/Oct/2017:21:12:07 +0000] "POST /cli?remoting=false
>> HTTP/1.1" 500 13912 "-" "Java/1.8.0_131"
>>
>> How do I debug this?
>>
>>
>>
>> On Friday, October 27, 2017 at 6:07:03 AM UTC+9, Tomasz Chmielewski wrote:
>>>
>>> Got it, thanks:
>>>
>>> https://wiki.jenkins.io/display/JENKINS/Jenkins+CLI
>>>
>>> On Friday, October 27, 2017 at 5:57:18 AM UTC+9, Robert Hales wrote:
>>>>
>>>> You have to use the Jenkins CLI. I guess that can be a bit confusing.
>>>> It isn't a script available to run at the command line. Jenkins has their
>>>> own CLI. If you google for it, you will find the details pretty easily.
>>>>
>>>> On Thursday, October 26, 2017 at 2:55:07 PM UTC-6, Tomasz Chmielewski
>>>> wrote:
>>>>>
>>>>> Hmm, where do I find "offline-node" command?
>>>>>
>>>>> root@jenkins:~# dpkg -L jenkins
>>>>> /.
>>>>> /usr
>>>>> /usr/share
>>>>> /usr/share/doc
>>>>> /usr/share/doc/jenkins
>>>>> /usr/share/doc/jenkins/changelog.gz
>>>>> /usr/share/doc/jenkins/copyright
>>>>> /usr/share/jenkins
>>>>> /usr/share/jenkins/jenkins.war
>>>>> /etc
>>>>> /etc/logrotate.d
>>>>> /etc/logrotate.d/jenkins
>>>>> /etc/default
>>>>> /etc/default/jenkins
>>>>> /etc/init.d
>>>>> /etc/init.d/jenkins
>>>>> /var
>>>>> /var/cache
>>>>> /var/cache/jenkins
>>>>> /var/lib
>>>>> /var/lib/jenkins
>>>>> /var/log
>>>>> /var/log/jenkins
>>>>>
>>>>> root@jenkins:~# find / -name offline-node
>>>>>
>>>>> root@jenkins:~#
>>>>>
>>>>> root@jenkins:~# dpkg -l | grep jenkins
>>>>> ii jenkins 2.73.2 (...)
>>>>>
>>>>>
>>>>>
>>>>> On Friday, October 27, 2017 at 12:21:17 AM UTC+9, Robert Hales wrote:
>>>>>>
>>>>>> In the CLI, use the 'offline-node' command. Another useful command in
>>>>>> what it looks like you want to do might be "wait-offline-node".
>>>>>>
>>>>>> You could also create a groovy script to do it and run that from the
>>>>>> REST API.
>>>>>>
>>>>>> On Thursday, October 26, 2017 at 3:35:29 AM UTC-6, Tomasz Chmielewski
>>>>>> wrote:
>>>>>>>
>>>>>>> Is there a CLI/scripted way to stop scheduling any new builds on a
>>>>>>> given node?
>>>>>>>
>>>>>>> Basically, any builds currently running on a given node should
>>>>>>> continue to run until they are finished -- and no new builds should be
>>>>>>> started.
>>>>>>>
>>>>>>> Think of "retiring" a node, and replacing it with a new one -- but
>>>>>>> allowing any existing jobs to finish gracefully.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Tomasz Chmielewski
>>>>>>> https://lxadm.com
>>>>>>>
>>>>>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Jenkins Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to jenkinsci-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/jenkinsci-users/a19302b1-6ed1-44bb-b65b-28868a64708b%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/jenkinsci-users/a19302b1-6ed1-44bb-b65b-28868a64708b%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com <javascript:>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-users/476c0ec2-753f-45bd-944b-2f9dcf60deae%40googlegroups.com
>
> <https://groups.google.com/d/msgid/jenkinsci-users/476c0ec2-753f-45bd-944b-2f9dcf60deae%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/cb454333-dddf-4186-ac97-66550f856454%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
