1

Our Organization is using SonarQube application which is hosted in azure server which we are using internally and is not accessible via internet. For adding security we implement https for the application with the help of ssl certificate which is given by our internal certification authority.

But after i implement https we are getting "Your Connection to this Site is not Secure". Is their is any way to make the connection secure? As we are using the application internally.

Sebastian Peter
  • 119
  • 1
  • 12
  • Are you hosting your sonarqube on a windows machine? – Isaiah4110 Jul 26 '18 at 15:50
  • yes our producton SonarQube application is installed in Windows Server – Sebastian Peter Jul 27 '18 at 11:12
  • Please follow the last step and use the IIS/URL rewrite module to setup a reverse proxy. – Isaiah4110 Jul 27 '18 at 11:38
  • I have used the below steps. and the application is up. But even it is getting the certification error as connection to this site is not secure. is their is any way to remove that and make the connection secure – Sebastian Peter Aug 06 '18 at 10:39
  • The SSL error is happening because you are using a self signed certificate and not going through a valid certificate authority. You need to import the root certificate into the trust store for the browser. Once the browser knows you trust this root certificate, all certificates signed by this will show up as trusted. Note that this will only make the connection trusted for you, any others who don't have the root certificate installed will still receive an error. – Isaiah4110 Aug 06 '18 at 15:22
  • tnx for the information. however is their is any way to make it as trusted for all the users as we are using intranet. could you please also explain how to import the root certificate into the trust store for the browser. – Sebastian Peter Aug 09 '18 at 10:34
  • best way is to use a signed certificate from a valid CA which all browsers accept. https://en.wikipedia.org/wiki/Certificate_authority Please mark it as answer if it helped you. – Isaiah4110 Aug 15 '18 at 16:46
  • So @Isaiah4110 even though We are using our application internally we should purchase a signed certificate from a valid CA which all browsers accept for making it trusted right? – Sebastian Peter Aug 21 '18 at 11:05
  • if the below answer helped you please mark it. For your other question, either you have to import the certificate that you created as a trusted certificate in all machines. That way browser won't throw the error. Or else you need to spend money and buy a certificate. https://stackoverflow.com/questions/616055/https-certificate-for-internal-use – Isaiah4110 Aug 21 '18 at 14:42

1 Answers1

1

As per the SonarQube documentation, for adding security/Https their recommendation is to use a reverse proxy and not adding the SSL to the SonarQube website directly. Here is the official documentation and the link:

To run the SonarQube server over HTTPS, you must build a standard reverse proxy infrastructure. The reverse proxy must be configured to set the value "X_FORWARDED_PROTO: https" in each HTTP request header. Without this property, redirection initiated by the SonarQube server will fall back on HTTP.

Using an Apache Proxy

We assume that you've already installed Apache 2 with module mod_proxy, that SonarQube is running and available on http://private_sonar_host:sonar_port/ and that you want to configure a Virtual Host for www.public_sonar.com. At this point, edit the HTTPd configuration file for the www.public_sonar.com virtual host. Include the following to expose SonarQube via mod_proxy at http://www.public_sonar.com/:

    ProxyRequests Off
ProxyPreserveHost On
<VirtualHost *:80>
  ServerName www.public_sonar.com
  ServerAdmin admin@somecompany.com
  ProxyPass / http://private_sonar_host:sonar_port/
  ProxyPassReverse / http://www.public_sonar.com/
  ErrorLog logs/somecompany/sonar/error.log
  CustomLog logs/somecompany/sonar/access.log common
</VirtualHost>

Using Nginx

We assume that you've already installed Nginx, that you are using a Virtual Host for www.somecompany.com and that SonarQube is running and available on http://sonarhost:sonarport/. At this point, edit the Nginx configuration file. Include the following to expose SonarQube at http://www.somecompany.com/:

# the server directive is nginx's virtual host directive
server {
  # port to listen on. Can also be set to an IP:PORT
  listen 80;

  # sets the domain[s] that this vhost server requests for
  server_name www.somecompany.com;

  location / {
    proxy_pass http://sonarhost:sonarport;
  }
}

Using IIS

SonarQube recommends the use of a Reverse Proxy to secure you sonar installation. With the help of IIS and the Url Rewrite module, that's a piece of cake to setup.

What you'll need:

  1. IIS enabled on a machine (doesn't have to be the SonarQube machine, but I'm going to assume you're doing this on the same system)
  2. The Url Rewite extension for IIS (https://www.iis.net/downloads/microsoft/url-rewrite)
  3. The Application Based Routing extension for IIS (https://www.iis.net/downloads/microsoft/application-request-routing)
  4. An SSL certificate (can be self signed or a real one)

First step is to create a IIS website which will act as the reverse proxy.

enter image description here

Unless you're required to do Kerberos authentication, you don't need to configure any form of authentication on your Reverse Proxy. It should forward the challenge from SonarQube if you've configured Active Directory integration there.

enter image description here

If you are using Kerberos or IIS Advanced protection, please look here for guidance on configuring that correctly. (https://blogs.technet.microsoft.com/latam/2015/06/24/kerberos-authentication-and-application-request-routing/)

Configure the binding to use SSL and setup the correct hostnames and the certificate. I'm cheating a little by using the IIS Express Development Certificate installed on my machine:

enter image description here

Next we'll open the URL Rewrite settings to configure reverse proxy:

enter image description here

Click Add Rule to create a new rule:

enter image description here

And pick "Reverse Proxy" from the list of templates:

enter image description here

Enter the destination server URL (can be http://localhost:9000, or even a remote server) and click OK to create the rule:

enter image description here

You're back in the URL Rewrite screen where we'll need to add an extra server variable which we'll send along with the request to the other server in order to tell SonarQube it's actually behind a Reverse Proxy that's doing the SSL offloading for it:

enter image description here

Click "Add..." to create the server variable:

enter image description here

Add the server variable "X_FORWARDED_PROTO" to allow the Rewrite Module to manipulate this header:

enter image description here

You should now have the variable listed in the Variable list. Click "Go back to Rules" to move back to the rules list:

enter image description here

Edit the URL Rewrite rule you've just created:

enter image description here

Expand the Server variables section of the rule definition:

enter image description here

Add the "X_FORWARDED_PROTO" header you've allowed in the previous step and give it the value "https":

enter image description here

Apply the changes:

enter image description here

And now you should be able to access SonarQube over SSL. You may want to configure the original SonarQube instance to only accept traffic from your reverse proxy or only accept traffic from localhost through the Windows Firewall.

Copied from:

USING IIS

Server setup documentation

Isaiah4110
  • 9,855
  • 1
  • 40
  • 56