sonar 3.6 https configuration

Question

I have just upgraded from Sonar 3.2.1 to Sonar 3.6. I was able to configure Sonar 3.2.1 to use https by placing a jetty.xml file in SONAR_HOME. The same approach does not seem to work for Sonar 3.6 and from looking at the source for org.sonar.application.JettyEmbedder I think the https port is hard-coded to 8443. FYI, The embedded jetty version is 7.6.11.

The relevant Sonar FAQ reads thus :

Can SonarQube run in HTTPS mode No. But you can run SonarQube in a standard HTTPS infrastructure using reverse proxy (in this case the reverse proxy must be configured to set the value 'X_FORWARDED_PROTO: https' in each HTTP request header. Without this property, redirection initiated by the SonarQube server will fall back on HTTP).

If this is true then Sonar has taken a step backwards security-wise. Is there an alternative way to configure Sonar/Jetty to run on https ?

Answer 1

You can install Apache on the same machine and set reverse proxy.

Your http://your-sonar-host.com address needs to run on port 80. Apache will forward it to 9000 (sonar runs on port 9000)

After installing Apache, open the configuration and type the following:

<Location />
ProxyPass http://your-sonar-host.com:9000/
ProxyPassReverse http://your-sonar-host.com:9000/
RequestHeader set X_FORWARDED_PROTO 'https'
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>

There is nothing else you need to do.