Is there a plan to add HTTPS back to SonarQube?

Question

I'm running SonarQube with a reverse proxy. However, I'm also using X.509 authentication between SonarQube and the database for security reasons. I can no longer connect to my PostgreSQL database after upgrading from 5.4 to 5.6 because the certificate isn't being passed.

1. Is there another way to configure SonarQube to use a local keystore when negotiating an SSL connection to the database?
2. Is there a plan to add SSL support back?
3. Is there a plan to add WAR-style deployments back?

I might be stuck at 5.4.

Answer 1

HTTPS is supported by SonarQube using a reverse proxy. Here is the official documentation and the link:

To run the SonarQube server over HTTPS, you must build a standard reverse proxy infrastructure. The reverse proxy must be configured to set the value "X_FORWARDED_PROTO: https" in each HTTP request header. Without this property, redirection initiated by the SonarQube server will fall back on HTTP.

Using an Apache Proxy

We assume that you've already installed Apache 2 with module mod_proxy, that SonarQube is running and available on http://private_sonar_host:sonar_port/ and that you want to configure a Virtual Host for www.public_sonar.com. At this point, edit the HTTPd configuration file for the www.public_sonar.com virtual host. Include the following to expose SonarQube via mod_proxy at http://www.public_sonar.com/:

    ProxyRequests Off
ProxyPreserveHost On
<VirtualHost *:80>
  ServerName www.public_sonar.com
  ServerAdmin admin@somecompany.com
  ProxyPass / http://private_sonar_host:sonar_port/
  ProxyPassReverse / http://www.public_sonar.com/
  ErrorLog logs/somecompany/sonar/error.log
  CustomLog logs/somecompany/sonar/access.log common
</VirtualHost>

Using Nginx

We assume that you've already installed Nginx, that you are using a Virtual Host for www.somecompany.com and that SonarQube is running and available on http://sonarhost:sonarport/. At this point, edit the Nginx configuration file. Include the following to expose SonarQube at http://www.somecompany.com/:

# the server directive is nginx's virtual host directive
server {
  # port to listen on. Can also be set to an IP:PORT
  listen 80;

  # sets the domain[s] that this vhost server requests for
  server_name www.somecompany.com;

  location / {
    proxy_pass http://sonarhost:sonarport;
  }
}

Using IIS

SonarQube recommends the use of a Reverse Proxy to secure you sonar installation. With the help of IIS and the Url Rewrite module, that's a piece of cake to setup.

What you'll need:

1. IIS enabled on a machine (doesn't have to be the SonarQube machine, but I'm going to assume you're doing this on the same system)
2. The Url Rewite extension for IIS (https://www.iis.net/downloads/microsoft/url-rewrite)
3. The Application Based Routing extension for IIS (https://www.iis.net/downloads/microsoft/application-request-routing)
4. An SSL certificate (can be self signed or a real one)

First step is to create a IIS website which will act as the reverse proxy.

Unless you're required to do Kerberos authentication, you don't need to configure any form of authentication on your Reverse Proxy. It should forward the challenge from SonarQube if you've configured Active Directory integration there.

If you are using Kerberos or IIS Advanced protection, please look here for guidance on configuring that correctly. (https://blogs.technet.microsoft.com/latam/2015/06/24/kerberos-authentication-and-application-request-routing/)

Configure the binding to use SSL and setup the correct hostnames and the certificate. I'm cheating a little by using the IIS Express Development Certificate installed on my machine:

Next we'll open the URL Rewrite settings to configure reverse proxy:

Click Add Rule to create a new rule:

And pick "Reverse Proxy" from the list of templates:

Enter the destination server URL (can be http://localhost:9000, or even a remote server) and click OK to create the rule:

You're back in the URL Rewrite screen where we'll need to add an extra server variable which we'll send along with the request to the other server in order to tell SonarQube it's actually behind a Reverse Proxy that's doing the SSL offloading for it:

Click "Add..." to create the server variable:

Add the server variable "X_FORWARDED_PROTO" to allow the Rewrite Module to manipulate this header:

You should now have the variable listed in the Variable list. Click "Go back to Rules" to move back to the rules list:

Edit the URL Rewrite rule you've just created:

Expand the Server variables section of the rule definition:

Add the "X_FORWARDED_PROTO" header you've allowed in the previous step and give it the value "https":

Apply the changes:

And now you should be able to access SonarQube over SSL. You may want to configure the original SonarQube instance to only accept traffic from your reverse proxy or only accept traffic from localhost through the Windows Firewall.

Copied from:

USING IIS

Server setup documentation

Answer 2

Answer to point 2 : The only way to deal with HTTPS on SonarQube is to use a proxy. Have a look at the documentation for more information.

Answer to point 3 : No, there's no plan to get back to WAR.

Answer 3

Add reverse proxy to the docker compose. Create certification by openssl. Add nginx configuration Done