sonar 3.6 https configuration

2
votes

I have just upgraded from Sonar 3.2.1 to Sonar 3.6. I was able to configure Sonar 3.2.1 to use https by placing a jetty.xml file in SONAR_HOME. The same approach does not seem to work for Sonar 3.6 and from looking at the source for org.sonar.application.JettyEmbedder I think the https port is hard-coded to 8443. FYI, The embedded jetty version is 7.6.11.

The relevant Sonar FAQ reads thus :

Can SonarQube run in HTTPS mode No. But you can run SonarQube in a standard HTTPS infrastructure using reverse proxy (in this case the reverse proxy must be configured to set the value 'X_FORWARDED_PROTO: https' in each HTTP request header. Without this property, redirection initiated by the SonarQube server will fall back on HTTP).

If this is true then Sonar has taken a step backwards security-wise. Is there an alternative way to configure Sonar/Jetty to run on https ?

1
httpssonarqube
This looks like a question best suited for a Sonar JIRA or developer mailing list. Personally, I use Apache as my Sonar reverse proxy. Apache doubles as my SSL terminator, means I can keep all the messy SSL stuff away from Sonar. Nginx is another possible solution in this space. - Mark O'Connor
Thanks for the comment - I have posted the question on the sonar user mailing list too. If you have Apache in front of Sonar handling the https doesn't that mean that the connection from Apache to Sonar is http and hence un-encrypted ? - user2570084
Yes it is. Not an issue if it's configured to listen on the loopback address. That way no external process can talk to Sonar. - Mark O'Connor
Ahh - ok - thanks for the explanation - user2570084

1 Answers

1
votes

You can install Apache on the same machine and set reverse proxy.

Your http://your-sonar-host.com address needs to run on port 80. Apache will forward it to 9000 (sonar runs on port 9000)

After installing Apache, open the configuration and type the following:

<Location />
ProxyPass http://your-sonar-host.com:9000/
ProxyPassReverse http://your-sonar-host.com:9000/
RequestHeader set X_FORWARDED_PROTO 'https'
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>

There is nothing else you need to do.