I am trying to switch from HTTP to HTTPS on my instance of Sonarqube running on a Docker container. I am using Docker Swarm with a docker-compose.yml file to deploy the container. I have my hostname.crt and hostname.jks certs created and ready for use. I have not found any documentation on environment variables that can be set in the docker-compose to enable SSL. The closest resource I have found is here with HTTPS_PROXYHOST and HTTPS_PROXYPORT variables, but it is unclear how these would be used. https://docs.sonarqube.org/latest/setup/environment-variables/
i would suggest to add a reverse proxy / load balancer in front of sonarqube and terminate tls before forwarding the traffic to the sonarqube service. you can find some docs here.
For docker to get you a fast start you can to turn to the all mighty nginx-proxy. just make sure that you increase the client_max_body_size when using this image
as for your compose: the environment variables seems odd to me. i think they should look something like this
I am trying to get nginx-proxy set up in front of SonarQube as you suggested. To configure the proxy, I am making edits to the default.conf file and mounting it to the
nginx docker container. Currently, http://<hostname>:80 is rerouting to my SonarQube instance at http://<hostname>:9000, so I know that nginx is at least somewhat functional. However, I have not been able to set it up so that only https traffic routes to SonarQube. Any idea on how to configure this? Also, the environment variables I set have been working in my SonarQube so far - maybe there are different types of syntax that work.
My edits to the default.conf file and nginx docker-compose are shown below. Any additional help is greatly appreciated.
default.conf:
...
server {
# port to listen on. Can also be set to an IP:PORT
listen 80;
# sets the domain[s] that this vhost server requests for
# this line is throwing a warning "server name "https://<hostname>:9000" has suspicious symbols in /etc/nginx/default.conf:56"
server_name https://<hostname>:9000;
location / {
proxy_pass http://<hostname>:9000;
}
}
you see that the compose now only exposes port 80 (http) and 443 (https). The certificates should be stored into /u01/docker_data/nginx/certs/ and use the convention as described here.
the content of the config that is mounted inside the reverse proxy should be tweaked to your company guidlines. for testing you can set it to something like this: client_max_body_size 0;
Thanks @Tobias_Trabelsi, I managed to get things working with your help! The docker-compose that worked for me isn’t exactly the same as what you posted, so I’ll post mine here in case anyone has the same issue. Now I can access my SonarQube with the URL https://<hostname>:9000/, but not with http://<hostname>:9000/ which is exactly the result I was looking for. From my understanding, VIRTUAL_PORT: 9000 is being exposed and then the mapped port on nginx is routing traffic to this port. But I do not know exactly what is happening, can you help clarify how this solution works?
this is one way to do it if you want to keep the port, but in general (this would also solve your problem with http-> https redirection) it would be cleaner to get rid of it.
the VIRTUAL_PORT variable is parsed by the template engine of the reverse proxy in order to know which port the http traffic should be routed to in the internal docker network if there are multiple expose statements in the Dockerfile.
When you map port 80 to 80 and 443 to 443 in the reverse proxy, every traffic that is coming in via http on port 80 is redirected with a 301 to the https port and schema.
However, setting sonar.web.port=-1 in the /sonarqube/conf/sonar.properties file throws this error. Do you have any idea why this is happening?
docker service logs sonarqube_sonarqube:
2020.06.25 18:36:33 WARN web[][o.s.p.ProcessEntryPoint] Fail to start web
sonarqube_sonarqube.1.inuur8t6pzq9@<hostname> | java.lang.IllegalStateException: HTTP port '-1' is invalid
Also, I tried mapping 80:80 and 443:443 in the reverse proxy, and that seems to break SonarQube. It only seems to be working with 9000:443
the docs are for sonarqube version 4.5 and this option is not valid anymore.
can you describe what you mean with “breaks sonarqube” ? because it is running just fine for me with this settings
Thanks, I should have paid attention to the version. I actually did end up getting SonarQube running with 80:80 and 443:443. These are the nginx settings in the docker-compose:
Thanks for all of the help - I have one last question to get a clean result. Currently, http://hostname:443` is redirecting to the following page. We are worried that this could be a security vulnerability since it shows the version of nginx. Do you have any idea how we would avoid showing this page, or how to hide the version of nginx?
you can remove the version using server_tokens off;. like the unrestricted_client_body_size.conf file you can just mount an additional file in the container or have both settings in one file and mount them to /etc/nginx/conf.d/