The plain HTTP request was sent to HTTPS port


I have Jenkins running on an EC2 with NGINX running on the same EC2 listening on port 80 forwarding to 8080 for Jenkins. In front of this I have an ALB listening to port 443 and a CERT setup.

When I go to I can login then I get 400 Bad Request "The plain HTTP request was sent to HTTPS port" and the url changes to

I tried adding in another listener on port 80 with a re-direct to 443. That did nothing. I even changed it to just print out a message but never got the message.

Any idea where I might be missing something?

5 Answers

One thing missing here is how the target group is configured on the ALB. From the information available it would appear that it's configured to send HTTP requests to the target group. You'll get the error message you're seeing if the listener is configured for HTTPS (regardless of what port it is using).

Also: I'm not sure what else NGINX is configured to do here; but it's more efficient to have ALB send the requests directly to port 8080.

profile pictureAWS
answered a year ago

Unless I am reading this wrong. I have an ALB with one listener: HTTPS:43 forwarding to a Target Group.

The Target Group has one Registered instance on port 80 and is healthy.

I do not care if I use NGINX to forward port 80 on the instance to port 8080 on the same instance or if I have the Target Group forward directly to port 8080. What I do know is that if I change the Server line in NGINX to let me use the instance IP I can get in to Jenkins on port 80 with no issues what so ever. So the problem must be with the ALB or Target Group.

answered a year ago

Since I did not mention this before here are my security groups.

  • Instance SG

  • Inbound: HTTP source ALB SG

  • Inbound: HTTPS source ALB SG

  • Outbound: All

  • ALB SG

  • Inbound: HTTP source

  • Inbound: HTTPS source

  • Outbound: HTTP source Instance SG

  • Outbound: All source

answered a year ago

I enabled logs on the ALB and here is what I am seeing:

h2 2023-02-10T19:31:25.203691Z app/JJJ-Dev-JenkinsMaster-ALB/73b30d15979cbc5c 0.001 0.042 0.000 302 302 1112 229 "POST HTTP/2.0" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36 OPR/" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-1:111122223333:targetgroup/JJJ-Dev-JenkinsMaster-ALB-TG80/94ff9b642572376c "Root=1-63e69b8d-5ece4b07683f68816f0148de" "" "arn:aws:acm:us-east-1:111122223333:certificate/1ff16fb3-eeeb-48f5-98f9-fda871fdb5fb" 0 2023-02-10T19:31:25.160000Z "forward" "-" "-" "" "302" "-" "-"
https 2023-02-10T19:31:25.375811Z app/JJJ-Dev-JenkinsMaster-ALB/73b30d15979cbc5c - -1 -1 -1 400 - 814 772 "GET HTTP/1.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36 OPR/" - - - "-" "-" "-" - 2023-02-10T19:31:25.316000Z "-" "-" "-" "-" "-" "-" "-"

The last log message shows clearly how its breaking.

answered a year ago


If you don't mind, I would like to recommend... Remove the NGINX, its just ALB (With a valid cert for the listeners), 2 listeners, 1st for HTTP traffic to redirect to HTTPS:443 and 2nd listener for HTTPS to a Target Group, the target group is your Jenkins instance at port 8080, and that one, only expose in the SG or allow the Jenkins port 8080.

Make sure the ALB is internal tho, not recommended to expose Jenkins to world in any case.


profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions