Is there a plan to add HTTPS back to SonarQube? - ssl

I'm running SonarQube with a reverse proxy. However, I'm also using X.509 authentication between SonarQube and the database for security reasons. I can no longer connect to my PostgreSQL database after upgrading from 5.4 to 5.6 because the certificate isn't being passed.
Is there another way to configure SonarQube to use a local keystore when negotiating an SSL connection to the database?
Is there a plan to add SSL support back?
Is there a plan to add WAR-style deployments back?
I might be stuck at 5.4.

HTTPS is supported by SonarQube using a reverse proxy. Here is the official documentation and the link:
To run the SonarQube server over HTTPS, you must build a standard reverse proxy infrastructure.
The reverse proxy must be configured to set the value "X_FORWARDED_PROTO: https" in each HTTP request header. Without this property, redirection initiated by the SonarQube server will fall back on HTTP.
Using an Apache Proxy
We assume that you've already installed Apache 2 with module mod_proxy, that SonarQube is running and available on http://private_sonar_host:sonar_port/ and that you want to configure a Virtual Host for www.public_sonar.com.
At this point, edit the HTTPd configuration file for the www.public_sonar.com virtual host. Include the following to expose SonarQube via mod_proxy at http://www.public_sonar.com/:
ProxyRequests Off
ProxyPreserveHost On
<VirtualHost *:80>
ServerName www.public_sonar.com
ServerAdmin admin#somecompany.com
ProxyPass / http://private_sonar_host:sonar_port/
ProxyPassReverse / http://www.public_sonar.com/
ErrorLog logs/somecompany/sonar/error.log
CustomLog logs/somecompany/sonar/access.log common
</VirtualHost>
Using Nginx
We assume that you've already installed Nginx, that you are using a Virtual Host for www.somecompany.com and that SonarQube is running and available on http://sonarhost:sonarport/.
At this point, edit the Nginx configuration file. Include the following to expose SonarQube at http://www.somecompany.com/:
# the server directive is nginx's virtual host directive
server {
# port to listen on. Can also be set to an IP:PORT
listen 80;
# sets the domain[s] that this vhost server requests for
server_name www.somecompany.com;
location / {
proxy_pass http://sonarhost:sonarport;
}
}
Using IIS
SonarQube recommends the use of a Reverse Proxy to secure you sonar installation. With the help of IIS and the Url Rewrite module, that's a piece of cake to setup.
What you'll need:
IIS enabled on a machine (doesn't have to be the SonarQube machine, but I'm going to assume you're doing this on the same system)
The Url Rewite extension for IIS (https://www.iis.net/downloads/microsoft/url-rewrite)
The Application Based Routing extension for IIS (https://www.iis.net/downloads/microsoft/application-request-routing)
An SSL certificate (can be self signed or a real one)
First step is to create a IIS website which will act as the reverse proxy.
Unless you're required to do Kerberos authentication, you don't need to configure any form of authentication on your Reverse Proxy. It should forward the challenge from SonarQube if you've configured Active Directory integration there.
If you are using Kerberos or IIS Advanced protection, please look here for guidance on configuring that correctly. (https://blogs.technet.microsoft.com/latam/2015/06/24/kerberos-authentication-and-application-request-routing/)
Configure the binding to use SSL and setup the correct hostnames and the certificate. I'm cheating a little by using the IIS Express Development Certificate installed on my machine:
Next we'll open the URL Rewrite settings to configure reverse proxy:
Click Add Rule to create a new rule:
And pick "Reverse Proxy" from the list of templates:
Enter the destination server URL (can be http://localhost:9000, or even a remote server) and click OK to create the rule:
You're back in the URL Rewrite screen where we'll need to add an extra server variable which we'll send along with the request to the other server in order to tell SonarQube it's actually behind a Reverse Proxy that's doing the SSL offloading for it:
Click "Add..." to create the server variable:
Add the server variable "X_FORWARDED_PROTO" to allow the Rewrite Module to manipulate this header:
You should now have the variable listed in the Variable list. Click "Go back to Rules" to move back to the rules list:
Edit the URL Rewrite rule you've just created:
Expand the Server variables section of the rule definition:
Add the "X_FORWARDED_PROTO" header you've allowed in the previous step and give it the value "https":
Apply the changes:
And now you should be able to access SonarQube over SSL. You may want to configure the original SonarQube instance to only accept traffic from your reverse proxy or only accept traffic from localhost through the Windows Firewall.
Copied from:
USING IIS
Server setup documentation

Answer to point 2 : The only way to deal with HTTPS on SonarQube is to use a proxy.
Have a look at the documentation for more information.
Answer to point 3 : No, there's no plan to get back to WAR.

Related

websphere and apache server proxy and rewrite configuration

There are javaEE applications run on WebSphere server.
The thing I wanna do that to configure a http server that takes the request and redirect to my local websphere server.
For example:
This is live Project testProject.com/Otel..
I wanna reach my local project when I insert local.testProject.com/Otel..
The thing I have done so far I can reach my local apache server when I click local.testProject.com just with adding in host file in windows/system32/drivre/etc directory.
The thing I could not do so far. redirecting this incoming request to my apache server to websphere server.
Could you please help me on these. Dont hasitate to ask further questions.
I would be appreciated if you could give me some ideas with just commenting at least.
Good days..
IBM provides a specialty reverse proxy module for Apache called the WebSphere WebServer Plug-in. Its use is described in detail in the websphere documentation.
In simple configurations, you can just configure any server you already have as a reverse proxy.
Load mod_proxy and mod_proxy_http (varies depending on Apache distribution)
Append to your virtual host:
ProxyPreserveHost ON
ProxyPass /otel http://washostname.example.com/otel
# ProxyPassReverse likely not required in your case.
Of course there are thousands of places to read about setting up Apache as a reverse proxy and there are nearly no WebSphere specifics.

reverse proxy apache to localhost server

I've got a web app running on localhost:3000. I also have an apache server. I would like to reverse proxy the apache server so that requests to /mywebapp get forwarded to the server running on localhost:3000.
I currently have the following config at the bottom of my httpd.conf file, but I'm getting a server error when I try to access it:
ProxyPass /mywebapp http://localhost:3000
ProxyPassReverse /mywebapp http://localhost:3000
Edit - further details:
I'm running a jetty server with java -jar myapp.jar. I'd like to forward requests to an apache server listening on :80 to the jetty server.
I've got mod_proxy_http.so and mod_proxy.so enabled.
I can tell the server is running on localhost - it responds to curl with the appropriate http response. So I'm pretty sure the issue is with my apache setup, but I can't think what the problem would be.
Apache conf file in conf.d for reference: http://pastebin.com/vhXwjbQe
And I've got this in my httpd.conf:
Include conf.d/*.conf
It's hard to give a generic answer because every situation is different so here are some debugging questions to ask yourself:
if the protocol and port correct on the internal service, http and 3000.
Is the service actually listening for connections from localhost? is it running in a docker container etc that would require it to be listening on a different interface? You can check for this by looking at the output from mywebapp's logs and see if the request are making it through the proxy.
Do the paths on the internal service include the prefix that is being passed to Apache or does apache need to strip these off. if for instance mywebapp expects the path "/foo/bar" and apache's reverse proxy is sending it with the context path included "/mywebapp/foo/bar" then it will not match any path in mywebapp.

Multiple protocols for internal communication between apache and tomcat

Tomcat in our application is considered back-and side and additionaly we have apache that fronting tomcat server as a reverse proxy and redirect requests to appropriate tomcat instance.
Now we need to set up HTTPS connection between apache proxy and tomcat for specific urls(Login, etc..). Tomcat documentation says that it's possible to achieve this with additional <Connector> within server.xml config.
In order to set up https over login page existing configuration with AJP protocol was replaced with the following:
ProxyPass /app/login/ https://127.0.0.1:6666/app/login/
All other urls specified like below:
ProxyPass /app/anyotherurl/ ajp://127.0.0.1:5555/app/anyotherurl/
With configuration below we expect that secure data (login/password) for login page will be encrypted and all other page will remain unchanged.
After the login apache should use normal ajp protocol because there is no sensetive information any more to protect. But it's not what actually happen in our case because for some reason apache is redirecting us to host specified in ProxyPass, namely to localhost.
This could happen due to the fact that our application while executing login logic on tomcat has two consecutive redirects.
We've tried to set ProxyPreserveHost on within virtual host to fix situation mentioned above, but we are not sure whether it is secure option and this one won't break another pages as well as we are not sure how it will work if tomcat will be located on other machine.
It would be good to know any other solution how such stuff can be applied internally for specific pages.

Does configuring a web server with SSL break regular HTTP

I'm in the process of getting a SSL certificate for my website which i'm running of a VPS. My website also serves as a web service for some ios/android applications to fetch data from. I'm just wondering if installing and configuring a SSL Certificate in Apache will force everyone to contact the web server over HTTPS and refuse regular HTTP calls. Hince will my applications break until I've released an update making all server calls to HTTPS?
Cheers
Apache can handle both http and https at the same time.
Normally you setup your http site under something like httpd.conf which includes a line (might be commented out) something like:
Include extra/httpd-ssl.conf
which tells apache to load additional configuration for the httpd-ssl.conf file located in the 'extra' directory.
if you did a standard install of apache then the httpd-ssl.conf file is already there with a generic template for the HTTPS site, just modify it as necessary and (if needed) uncomment the Include line above in httpd.conf.

GeoServer under https

i am using apache web server on localhost:80 and Geoserver served from tomcat on localhost:8080
I recently installed SSL certificate on apache and it works fine except for that i get the message that says i have insecure content which i thought they were GeoServer layers. So now I'm trying to enable SSL for GeoServer and have Openlayers content like htis https://example.org:8080/geoserver but still not sure what's the best approach to do that.
My suggestion:
Add a (reverse) proxy in Apache and configure your web application that is connects only to the Apache proxying the GeoServer.
ProxyPass "/geoserver" "http://localhost:8080/geoserver"
ProxyPassReverse "/geoserver" "http://localhost:8080/geoserver"
This way you only need to allow HTTPS in the firewall and nobody from outside will have the chance to reach GeoServers web interface unless you enable port 8080 on the firewall. Also see https://gis.stackexchange.com/q/4323/109339 for further details.
Please note that you should set the https://docs.geoserver.org/stable/en/user/configuration/globalsettings.html#proxy-base-url of GeoServer with the public reachable URL via your Apache, e.g. https://your-apache.com/geoserver - otherwise the absolute URLs generated from GeoServer in e.g. GetCapabilities start with http://localhost:8080/geoserver (which is not reachable anymore).
If you had not already Apache in use, I would recommend nginx.