1

SonarQube on windows, running on http://localhost/9000.

I'm setting up NGINX to use as a reverse proxy and serve on https://localip.com.

I'm getting the following EE when trying to connect to SonarQube

You're not authorized to access this page. Please contact the administrator. Reason: The response was received at http://localhost:9000/oauth2/callback/saml instead of https://localip.com/oauth2/callback/saml

I'm guessing I need to instruct NGINX to rewrite the callback, how do I do it?

JosephS
  • 744
  • 5
  • 22

3 Answers3

3

You don't show a sample config, but I recently hit the same issue as you when setting up SonarQube 9 behind an nginx reverse proxy w/ SAML.

You're not authorized to access this page. Please contact the administrator. Reason: The response was received at http://localhost:9000/oauth2/callback/saml instead of https://localip.com/oauth2/callback/saml

The most likely fix for this is to add these 2 lines to your server proxypass section in your nginx proxy config:

proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;

Sonarsource had a post about this for IIS reverse proxies, where they indicate 2 important things:

  1. That HTTP_X_FORWARDED_PROTO is set to https
  2. That host headers are preserved

The lines in my above code snippet handle the NGINX equivalents for #1 and #2 in that order.

Their Operating the Server page also gives this sample config:

# the server directive is Nginx's virtual host directive
server { 
 # port to listen on. Can also be set to an IP:PORT 
 listen 443 ssl;
 ssl_certificate ${path_to_your_certificate_file}
 ssl_certificate_key ${path_to_your_certificate_key_file}
 location / {
   proxy_pass ${address_of_your_sonarqube_instance_behind_proxy}
   proxy_set_header Host $host;
   proxy_set_header X-Forwarded-For $remote_addr;
   proxy_set_header X-Forwarded-Proto https;
 }
}

Based on your error message, the proxy_pass line will most likely something like proxy_pass http://localhost:9000. That's how I set mine up as well.

Joshua McKinnon
  • 24,489
  • 11
  • 57
  • 63
  • 1
    I have the same setup with Google as IdP, but after a successful auth sonarqube gives me this log: ` login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local`. So even though it sends the saml AuthNRequest, it thinks that the provider is local and gives me 401. I have these and the rest of the params set in the UI: sonar.auth.saml.enabled=true sonar.auth.saml.applicationId=sonarqube sonar.auth.saml.providerName=SAML – peetasan May 13 '22 at 14:32
2

I have same issue, but i run Apache server , and my proxy configuration is as follow:

  ## Proxy rules
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass / http://127.0.0.1:9000/
  ProxyPassReverse / http://127.0.0.1:9000/
  RequestHeader set X-Forwarded-Proto "https"
  RequestHeader set X-Forwarded-Port "443"

what solve issue is adding :

  RequestHeader set X-Forwarded-Proto "https"
  RequestHeader set X-Forwarded-Port "443"
Dharman
  • 30,962
  • 25
  • 85
  • 135
Dubravko Penezic
  • 21
  • 1
0

Just go to https://{sonarqube_domain}/admin/settings and make sure Server base URL is set to https://{sonarqube_domain}

Karl Casas
  • 805
  • 9
  • 9