Issue

Don’t know how the connection flow works between client masters and the OC instance

Environment

CloudBees Jenkins Operations Center

Resolution

The connection flow is as follows:

1. Client master sends HEAD request to CJOC root URL
2. Client master parses HEAD response headers looking for X-Jenkins-CLI2-Portand optionally X-Jenkins-CLI-Host.
3. Client master initiates a TCP connection to the port specified in X-Jenkins-CLI2-Port against the host specified in X-Jenkins-CLI-Host (or the host from the CJOC root URL if the X-Jenkins-CLI-Host header is absent)

So if you want a minimal gateway between CJOC and Client masters network you need to do the following:

1. Configure haproxy to proxy HEAD requests against the root URL of CJOC only from Client master [or fake the response by providing the X-Jenkins, X-Jenkins-CLI2-Port(and optionally X-Jenkins-CLI-Host) headers with a 200 or 403 response code]
2. Configure haproxy with mode TCP to proxy the JNLP/CLI2 port from hosts in Client master to CJOC only
3. Configure DNS in Client master to resolve the CJOC hostname as the host running haproxy