Issue
- Navigation within Jenkins often fails with:
No valid crumb was included in request
Environment
- CloudBees CI (CloudBees Core)
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
- CloudBees CI (CloudBees Core) on traditional platforms - Client controller
- CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
- CloudBees Jenkins Platform - Client controller
- CloudBees Jenkins Platform - Operations Center
- CloudBees Jenkins Distribution
- Jenkins LTS
Explanation
Jenkins comes with a CSRF protection feature that is enabled by default. One of the security checks carried out by this feature is a strict IP check on the source of the incoming HTTP/S requests. It is based on the client IP of the request and the value of the X-FORWARDED_FOR
header.
In some environments, this check would fail and causes No valid crumb was included in request
. For example when a proxy is not preserving the client IP or the X-FORWARDED-FOR
header is set but mis-configured
For more information, have a look at the DefaultCrumbIssuer
Resolution
In most cases, the problem is related to the proxy configuration. Ensure that:
- the proxy preserves the client IP
- the
X-FORWARDED-FOR
header is properly set
Note
A typical case is when Jenkins is running inside Kubernetes. If Jenkins is running in Kubernetes with an Ingress Controller that is backed by a NodePort / LoadBalancer service, make sure that this Service is configured with the externalTrafficPolicy: Local
so that it preserves the client IP.
Workaround
If changing the proxy configuration is not an option, a workaround is to disable the client IP check of the Crumb Issuer in Jenkins (labelled as “Proxy Compatibility” in the UI). Note that this is considered as unsafe since it disable a security check:
- Go to Manage Jenkins > Configure Global Security > CSRF Protection
- Tick the Enable proxy compatibility option:
- Save the configuration
This may also set on Jenkins startup via the system property -Djenkins.model.Jenkins.crumbIssuerProxyCompatibility=true
CloudBees Core on Modern Platform
For CloudBees Core on Modern Platforms installed with Helm, the proxy compatibility can be enabled with the the attribute .OperationsCenter.CSRF.ProxyCompatibility
. For example:
OperationsCenter:
CSRF:
ProxyCompatibility: true
0 Comments