How to connect agent jnlp over https?

I have four build agents that connect to our Jenkins server using JNLP. This is the call to connect to the server:
java --illegal-access=warn ^
–add-opens java.base/java.lang=ALL-UNNAMED ^
–add-opens java.base/java.lang.reflect=ALL-UNNAMED ^
–add-opens java.base/java.text=ALL-UNNAMED ^
–add-opens java.base/java.util=ALL-UNNAMED ^
–add-opens java.desktop/java.awt.font=ALL-UNNAMED ^
-cp agent.jar;deps/* hudson.remoting.Launcher ^
-jnlpUrl %JenkinsHost%/manage/computer/%BuildExecutorName%/jenkins-agent.jnlp ^
-secret %SecretKey% ^
-workDir “C:\Jenkins”
This all works fine and connects, but apparently it’s connecting over http instead of https.
The %JenkinsHost% is set to the https URL of the site.

I have the Jenkins server using a fixed port and I have the Agent Protocols checked for Inbound TCP Agent Protocol/4 (TLS encryption)

I have HSTS Filter Configuration checked.

I’m not sure if I’ve missed something or just don’t know the proper options to use.
Any assistance is greatly appreciated.

Hi @fiddler and welcome to this community :wave:,

Whenever I try to set up a new agent, Jenkins gives me an http URL to connect to, as I have not configured Jenkins to run on https.
All I’ll write after this sentence will just be wild guesses.

Can you access your Jenkins controller via https with your browser?
You need to ensure that the Jenkins server is properly configured for https.
This includes obtaining and installing a valid SSL/TLS certificate, configuring the Jenkins URL to use https, and configuring the Jenkins server to only allow https connections.

You could also try adding the -noCertificateCheck option to the command line call to disable certificate verification.
However, I suppose this is not recommended for production environments as it could potentially expose your system to security vulnerabilities.

Another possibility would be to check the controller logs for any errors or warnings related to agent connections.

Jenkins is only available through https using apache with a reverse proxy. There is a trusted certificate for the server and is also in the java keystore on the build agents, so the -noCertificateCheck is not warranted.

thats blatently untrue. jenkins supports http through jetty, while its not generally recommended, its totally doable. And it can be reverse proxied through any http server, amazon elb, nginx, traefik, caddy, apache, anything.

https is the tls version of http, you are using the tls version of agent protocol.
If you want to use https, you should use the http port and tell both sides to speak websocket (I believe its in manage computers / agent cnofiguration on controller side, and -websocket on cli side).

Halkeye, Let me clarify the statement you claim is untrue. In my set up, http is disabled and ‘my’ site is only accessible through https. I wasn’t making a blanket statement, I was describing my set up.
I’ll look into websocket to see if I can make it work.

One reason I’m trying to get the traffic going over https is the new gov’t “Zero Trust” policy that flags anything going over http. I read somewhere that jnlp (even though it goes over an encrypted TLS session) makes an http metadata request before using the port with the requested protocol.
Of course this initial request flags as an open http port with the scans.

omg I’m so sorry. I thought the post was someone telling you that the only option was apache. I misread and I’m so sorry.

That being said. I’m not sure apache supports http upgrade required for websockets, i’ve never tried. Reverse proxy - Apache doesn’t mention it, but mod_proxy might just magically do it.

I’ll look into this as a possible solution as well.

I’m trying to use the websocket settings within Jenkins, but getting a Handshake error.
I’ve made a modifications to the apache configs using the rewritecond and rewriterule commands:
RewriteCond ${HTTP:Upgrade} websocket [NC]
RewriteCond ${HTTP:Connection} upgrade [NC]
RewriteRule ^/ws/(.*) wss://localhost:8081/ws/$1 [P,L]
but am wondering if I don’t have the proper information for these settings. I also tried https in place of the wss but this also made no difference.
Does anyone know of any example configs to allow Jenkins agents to connect to the Jenkins server that is behind the apache reverse proxy? The Jenkins server is on the same machine as the reverse proxy if that matters.