Sonarqube behind https proxy with X_FORWARDED_PROTO

1
votes

What I want to achieve:

Browser -> Apache (https) -> Sonarqube (http)

Problem:

Location header from Sonar is http://.., so accessing https://trm.tine.no/sonar redirects to http://trm.tine.no/sonar

I have folllowed the instructions for standard reverse proxy infrastructure as described here: http://docs.sonarqube.org/display/SONAR/Running+SonarQube+Over+HTTPS

ProxyPreserveHost On
ProxyRequests Off
..
.. SSL config goes here
..
RequestHeader set X-Forwarded-Proto "https"

#SONAR related configurations
AllowEncodedSlashes NoDecode
ProxyPass /sonar http://<my.ip>:9000/sonar disablereuse=On nocanon
ProxyPassReverse /sonar http://<my.ip>:9000/sonar

I have verfied the X-Forwarded-Proto header by proxying Nexus (which also relies on X-Forwarded-Proto), and this works as expected.

curl confirms the Location header as http, not https curl -I https://trm.tine.no/sonar

HTTP/1.1 302 Found
Date: Wed, 21 Oct 2015 13:49:39 GMT
Server: Apache-Coyote/1.1
Location: http://trm.tine.no/sonar/
Transfer-Encoding: chunked

Wondering what I might be missing, or if this is an actual bug?

Running Sonarqube 5.1.1

Solution

The proposed solution from @kraal did not have any effect for us, but if you append / to the URI it works.

E.g.

curl -I https://trm.tine.no/sonar
HTTP/1.1 302 Found
Date: Thu, 22 Oct 2015 10:53:23 GMT
Server: Apache-Coyote/1.1
Location: http://trm.tine.no/sonar/
Transfer-Encoding: chunked

As we can see, Location is still set to http, but the following works (note the / at the end)

curl -I https://trm.tine.no/sonar/
HTTP/1.1 302 Found  
Date: Thu, 22 Oct 2015 10:53:25 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Location: https://trm.tine.no/sonar/sessions/new
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=utf-8
Content-Length: 104
Set-Cookie: JSESSIONID=A8B19F73D93B35BCA24F019EEB848666; Path=/sonar/; HttpOnly

So there seems to be something happening when Sonar redirects to /sonar/sessions/new (the login page), which behaves differently from /sonar/ to /sonar

Appending the / to the URI is a workaround which works for us.

3
sonarqubemod-proxysonarqube5.1

3 Answers

1
votes

The issue is probably due to your ProxyPassReverse. Here follows an excerpt from our configuration (with apache < 2.2.18):

<VirtualHost *:443>
    # https and port are specified in order to make sure that the server generates the correct
    # self-referential URLs.
    ServerName https://visiblehost:443

    # ... SSL and other configuration here

    # ProxyRequests must be set to "off" as we use Apache as a reverse proxy.
    ProxyRequests           Off

    # ProxyPreserveHost must be set to "on" in order to pass the Host: line from the incoming request to the
    # proxied host, instead of the hostname specified in the ProxyPass line.
    ProxyPreserveHost       On

    # AllowEncodedSlashes must be set to "on" in order to preserve urls built by SonarQube which include
    # encoded slashes. Once we upgrade to Apache 2.2.18, the property will need to be set to "NoDecode".
    AllowEncodedSlashes     On

    # Some RequestHeaders must be set in order for the headers to have the right value required for https
    # communications.
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Port "443"

    # ProxyPass defines that Apache communicates with SonarQube using ajp protocol
    # and that no canonalization has to be done.
    # ReverseProxyPass defines that https communications are only done between client
    # and Apache.

    ProxyPass               /sonar    ajp://hiddenhost:port/sonar nocanon
    ProxyPassReverse        /sonar    https://visiblehost/sonar

</VirtualHost>

As you can see, on the one hand, ProxyPassReverse defines that https communications have to be done between users and the reverse proxy on /sonar context root. The specified URL is the Apache URL that is "visible" to users.

On the other hand ProxyPass defines that Apache sends all trafic on /sonar to a "hidden" URL. In our case we use AJP protocol in order to make sure that this URL is not accessible directly, but if you're using http the configuration should be similar (replace ajp with http).

Hope it helps,

Michel

0
votes

(For anyone who stumbles on this post, I posted a similar problem in the google group: https://groups.google.com/forum/#!topic/sonarqube/mztZGAvG_I0 and was notified off this post by a replyer, it was not my intention to cause duplication)

Regarding the fix that works for you by changing the trailing slashes, sadly this did not work for me (I already appended them) Removing them does also not work.

0
votes

In my case with Apache 2.4 and Sonarqube 8.0 I solved with:

<Location /sonarqube>
        RewriteEngine  On
        RewriteCond %{HTTP:X-Forwarded-Proto} !https
        RewriteCond %{HTTPS} off
        RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

        ProxyPreserveHost On
        ProxyPass http://192.168.10.15:9000/sonarqube
        ProxyPassReverse http://192.168.10.15:9000/sonarqube
</Location>