The plain HTTP request was sent to HTTPS port

One thing missing here is how the target group is configured on the ALB. From the information available it would appear that it's configured to send HTTP requests to the target group. You'll get the error message you're seeing if the listener is configured for HTTPS (regardless of what port it is using).

Also: I'm not sure what else NGINX is configured to do here; but it's more efficient to have ALB send the requests directly to port 8080.

Unless I am reading this wrong. I have an ALB with one listener: HTTPS:43 forwarding to a Target Group.

The Target Group has one Registered instance on port 80 and is healthy.

I do not care if I use NGINX to forward port 80 on the instance to port 8080 on the same instance or if I have the Target Group forward directly to port 8080. What I do know is that if I change the Server line in NGINX to let me use the instance IP I can get in to Jenkins on port 80 with no issues what so ever. So the problem must be with the ALB or Target Group.

Since I did not mention this before here are my security groups.

• Instance SG

• Inbound: HTTP source ALB SG

• Inbound: HTTPS source ALB SG

• Outbound: All 0.0.0.0/0

• ALB SG

• Inbound: HTTP source 0.0.0.0/0

• Inbound: HTTPS source 0.0.0.0/0

• Outbound: HTTP source Instance SG

• Outbound: All source 127.0.0.1/32

I enabled logs on the ALB and here is what I am seeing:

h2 2023-02-10T19:31:25.203691Z app/JJJ-Dev-JenkinsMaster-ALB/73b30d15979cbc5c 10.0.0.4:62114 172.0.0.2:80 0.001 0.042 0.000 302 302 1112 229 "POST https://jenkins.tm-ci-prod.example.com:443/j_spring_security_check HTTP/2.0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 OPR/94.0.0.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:111122223333:targetgroup/JJJ-Dev-JenkinsMaster-ALB-TG80/94ff9b642572376c "Root=1-63e69b8d-5ece4b07683f68816f0148de" "jenkins.tm-ci-prod.example.com" "arn:aws:acm:us-east-1:111122223333:certificate/1ff16fb3-eeeb-48f5-98f9-fda871fdb5fb" 0 2023-02-10T19:31:25.160000Z "forward" "-" "-" "172.0.0.2:80" "302" "-" "-"

https 2023-02-10T19:31:25.375811Z app/JJJ-Dev-JenkinsMaster-ALB/73b30d15979cbc5c 10.0.0.4:62115 - -1 -1 -1 400 - 814 772 "GET http://jenkins.tm-ci-prod.example.com:443/loginError HTTP/1.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 OPR/94.0.0.0" - - - "-" "-" "-" - 2023-02-10T19:31:25.316000Z "-" "-" "-" "-" "-" "-" "-"

The last log message shows clearly how its breaking.

Hi,

If you don't mind, I would like to recommend... Remove the NGINX, its just ALB (With a valid cert for the listeners), 2 listeners, 1st for HTTP traffic to redirect to HTTPS:443 and 2nd listener for HTTPS to a Target Group, the target group is your Jenkins instance at port 8080, and that one, only expose in the SG or allow the Jenkins port 8080.

Make sure the ALB is internal tho, not recommended to expose Jenkins to world in any case.

Cheers!