SonarQube HTTP & HTTPS + reverse proxy : IP spoofing attack?

0
votes

Sonarqube is deployed on a intranet server (=> http url).

When an https internet url is declared to access this server, using DMZ reverse proxy, this error occurs : 

2013.11.22 19:47:53 ERROR rails  /!\ FAILSAFE /!\  Fri Nov 22 19:47:53 +0100 2013
  Status: 500 Internal Server Error
  IP spoofing attack?!
HTTP_CLIENT_IP="[real.ip.deleted]"
HTTP_X_FORWARDED_FOR="[real.ip.deleted]"

Rails has right, but this use case is acceptable (to propose SonarQube UI to suppliers, or when I want check my CI result on my Smartphne with my cofee time !).

The possibility to disable ip spoofing or uncheck proxy ip verification could be a great feature, configured IN sonar.properties

A workaround (tested in sonar 3.7.3) is set 

File : [sonar-dir]/war/sonar-server/WEB-INF/gems/gems/actionpack-2.3.15/lib/action_controller/base.rb

@@ip_spoofing_check = false

But modify distribution is not sustainable

1
configurationsonarqube

1 Answers

0
votes

This case seems to be specific with Apache 2.2 configured in reverse-proxy (ProxyPass directive), in front of SonarQube.

This version always add 'HTTP_X_FORWARDED_FOR' header.

The best solution (compared to workaround exposed) is to upgrade in Apache 2.4.

The directive ProxyAddHeaders could be used to control the add of this header.

Other stackoverflow thread : is-there-a-way-to-remove-apaches-reverse-proxy-request-headers