Getting 403 Forbidden even when security is disabled

Using Jenkins v 2.319.3 I’m running into trouble when setting up Jenkins behind a load balancer. I’m getting a 403 Forbidden when I try to save any configurations whether it be for the entire system for or a single job. I can run jobs just fine so it only happens when I’m trying to save configurations. As a troubleshooting step I have completely disabled security and added the argument -Dhudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION=true to my jenkins.xml file. Even after all of that, I still get the 403 Forbidden page. However when I take the Jenkins server out of the load balancer, everything works fine. I ensured that the proper headers are being sent.

if its crsf related (likely if only an issue on submit) you may have your hostnames different between your config and actual and thus cookies don’t get set right.

If its a custom load balancer (ex apache/nginx/traefik) then you need to make sure you have all the X-Forwarded-* headers setup right.

I’m using the AWS Application Load Balancer and from what I can tell it should be sending all of the appropriate headers. Also, I have disabled CSRF protection and still get the 403 error. I’m wondering if it’s an underlying web server thing that Jenkins sits on top of? I’m pretty clueless about how the actual web server part of Jenkins works. What’s even more interesting is that none of these 403 forbidden errors are being logged to /log/all so I’m starting to wonder if it’s more upstream before Jenkins gets the requests

probably, because jenkins log is pretty good
you can probably look at your developer tools network tab and see what the headers are. Maybe its something like POST isn’t allowed on the load balancer, or body is too big or something

Thanks for pointing me in the right direction. I took a look at the firewall rules and the POST bodies were too big which resulted in the firewall blocking the requests.