Hey there, let's work through this Jenkins CSRF problem you're hitting with your AWS ELB setup. I've run into similar quirks with reverse proxies and ELBs messing up crumb validation, so here are actionable steps to either resolve the root cause or disable CSRF if that's your hard requirement:

Option 1: Fix the Crumb Issue Without Disabling CSRF (Recommended) #

Instead of turning off CSRF protection entirely (which isn't ideal for security), fix the proxy compatibility so Jenkins correctly handles requests from AWS ELB:

Enable Proxy Compatibility via Groovy Script #

Create a Groovy initialization script (save it in $JENKINS_HOME/init.groovy.d/proxy-compatibility.groovy) with this code:

import jenkins.model.Jenkins

def jenkinsInstance = Jenkins.get()
// Enable extended proxy compatibility to handle ELB request modifications
jenkinsInstance.setProxyCompatibility(true)
jenkinsInstance.save()

This will automatically apply the setting on Jenkins startup, which resolves the crumb validation failures caused by ELB rewriting request headers. You'll also stop seeing that reverse proxy warning in "Manage Jenkins".

Manual Setup (If You Can Access the UI) #

If you can get into the Jenkins UI occasionally:

• Go to Manage Jenkins > System Configuration
• Scroll down to Jenkins Location
• Check the box for Enable proxy compatibility
• Save the settings

This tells Jenkins to ignore minor differences in request headers introduced by the ELB, which is usually the root cause of crumb errors.

Option 2: Disable CSRF Protection (Last Resort) #

If you absolutely need to disable CSRF (only do this if security isn't a concern for your setup), use one of these automated methods:

Method A: Groovy Initialization Script #

Create a script in $JENKINS_HOME/init.groovy.d/disable-csrf.groovy with:

import jenkins.model.Jenkins
import hudson.security.csrf.DefaultCrumbIssuer

def jenkinsInstance = Jenkins.get()
// Disable CSRF by removing the crumb issuer
jenkinsInstance.setCrumbIssuer(null)
jenkinsInstance.save()

Jenkins will run this script on startup, turning off CSRF protection completely.

Method B: Modify config.xml Before Startup #

Edit your $JENKINS_HOME/config.xml file (make a backup first!) and find the <crumbIssuer> section. Replace it with:

<crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer" disabled="true"/>

Or if there's no existing <crumbIssuer> node, add that line inside the <jenkins> root element. Then start Jenkins normally.

Why This Happens with AWS ELB #

AWS ELBs act as reverse proxies and can modify request headers (like adding X-Forwarded-* headers) or route requests in a way that Jenkins's default CSRF validation doesn't recognize. Enabling proxy compatibility tells Jenkins to account for these proxy-induced changes, while disabling CSRF skips the validation entirely.

内容的提问来源于stack exchange，提问作者Grant Zukel