Enable Jenkins CLI

[jglick]

Service(s)

ci.jenkins.io

Summary

It seems the CLI is blocked from ci.jenkins.io. I have a vague recollection that this decision was made many years ago to avoid some sort of DoS issue. @daniel-beck might recall. If so, is it still relevant after #4971?

Reproduction steps

$ authn=jglick:11…
$ curl -su $authn https://ci.jenkins.io/whoAmI/api/json | jq
{
  "_class": "hudson.security.WhoAmI",
  "anonymous": false,
  "authenticated": true,
  "authorities": [
    "all",
    "ROLE_SENIORS",
    "authenticated",
    "ROLE_ALL",
    "seniors"
  ],
  "name": "jglick"
}
$ java -jar jenkins-cli.jar -auth $authn -s https://ci.jenkins.io/ who-am-i
CLI handshake failed with status code 400
Cache-Control: must-revalidate, no-cache, no-store
Connection: close
Content-Length: 511
Content-Security-Policy: …
Content-Type: text/html;charset=iso-8859-1
Date: Wed, 28 Jan 2026 22:46:41 GMT
Reporting-Endpoints: …
Server: Jetty(12.1.5)
Via: 1.1 ci.jenkins.io
X-Content-Type-Options: nosniff

[daniel-beck]

Cannot recall off hand, I also cannot find how it was disabled.

[timja]

Might be this: https://github.com/jenkins-infra/jenkins-infra/blob/57001942dc47a9ec8d7966715c615afa915f4d56/dist/profile/manifests/jenkinscontroller.pp#L499-L506

[daniel-beck]

That block is blocking the REST API URLs unless you authenticate. CLI is at /cli/ / /cli/ws

[daniel-beck]

I guess HTTP 400 might be the error you get when WebSocket support isn't set up for the reverse proxy?

I tried https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3315:~:text=test%20whether%20WebSocket%20endpoints%20can%20be%20reached and that also is HTTP 400, indicating "enabling" the CLI just means configuring nginx for it.

[jglick]

That block is blocking the REST API URLs unless you authenticate.

Well I guess it is obsolete? Since you would just get a 403 now.

Probing WS connectivity is best done with websocat and the /wsecho/ endpoint (requires Overall/Administer IIRC).

[daniel-beck]

Well I guess it is obsolete? Since you would just get a 403 now.

Probably, difference would be web session would newly be acceptable without it as well.

[dduportal]

As far as i remember, the Apache servers managed by puppet (includes ci.jio) do not have websockets enabled : #3529

[lemeurherve]

@jglick how soon would you need/like this to be worked on?
If not urgent, I'll probably delay this up to a few weeks.

@jenkins-infra/security anything in particular we should be warry of?

[jglick]

Not urgent at all, feel free to defer for years.