Running Jenkins on dedicated machine, with SSL provided by Haproxy.
Jenkins runs inside internal network, with URL https://jenkins.company.com , https://jenkins-static.company.com is set up to point to the same machine.
Haproxy settings as from jenkins tutorial (disabling haproxy and switching to direct HTTP does not solve the issue).
When setting up Resource Root URL using “Manage Jenkins >> System”, all artifacts URL are converted to https://jenkins-static.company.com/static-files/TOKEN/FILE_PATH but trying to open the link always leads to “Oops!” 404 page.
I was unable to find any related information in the logs.
To make Resource URL work I had to add “Job/Read” permission to “Authenticated Users” in global settings for Project-based Matrix Authorization Strategy. But this breaks the security of my Jenkins instance, so this solution can’t be applied.
I’ve tried playing with some jenkins properties related to Resource URL:
Environment="JENKINS_OPTS=-Djenkins.security.ResourceDomainRootAction.allowAuthenticatedUser=true"
Environment="JENKINS_OPTS=-Djenkins.security.ResourceDomainRootAction.validForMinutes=30"
but without any change.
More findings – if instead of “Job/Read” I set only “Job/Discover” I get 403 instead of 404
1
1.Double-check Resource Root URL configuration in Jenkins.
2.Review HAProxy configuration to properly handle static files.
3.Ensure correct file permissions for static assets.
4.Examine Jenkins and HAProxy logs for 404 or token-related errors.
5.Verify OAuth plugin settings and check if disabling it resolves the issue.
6.Review CORS policies for cross-domain access from jenkins-static.company.com.
If none of these solutions work, try isolating the issue further by serving static files without HAProxy or using a different reverse proxy to see if the problem persists.
Edited:
From configuration help of Resource Root URL, the URL
Resource URLs do not require authentication (users will not have a valid session for the resource root URL). Sharing a resource URL with another user, even one lacking Overall/Read permission for Jenkins, will grant that user access to these files until the URLs expire.
Authentication – User Content in Jenkins Documentation
Brings to thought the question of when exactly are you trying to access the URL itself – is it after the expiration period?
Resource URLs expire after 30 minutes by default. Expired resource URLs will redirect users to their equivalent Jenkins URLs, so that the user can reauthenticate, if necessary, and then be redirected back to a new resource URL that will be valid for another 30 minutes.
Expiration – User Content in Jenkins Documentation
If the attempted access is well before 30 minutes, could be that the expiry is configured to be short or none:
To change how quickly resource URLs expire, set the system property
jenkins.security.ResourceDomainRootAction.validForMinutesto the desired value in minutes.
Expiration – User Content in Jenkins Documentation
Lastly, I can see that in recent versions (my test instance is old – 2.332.1) there have been an added parameter, which I’ve yet to find any additional documentation on, and which only explanation is ‘escape hatch for a security improvement’ – perhaps it’s related to the behavior:
jenkins.security.ResourceDomainRootAction.allowAuthenticatedUser
Since: 2.475
Default: false
Description: Allow authenticated user access to Resource URLs. Escape hatch for a security improvement related to the 2024-01-24 security advisory.
System Properties in Jenkins Documentation
7