Correction of SONAR-13328 don't work when hostname is changed

Hi,

I installed SQ 8.4 behind a reverse proxy (Nginx) :

±-------------------------------------------------------+
|RP : https://my.sonarqube.com/sonarqube |
±-------------------------------------------------------+
|
|
v
±-----------------------------------------------------------------------+
|SQ Server: http://my.private.machine:9000/sonarqube |
±-----------------------------------------------------------------------+

On my installation, authentication is delegate to a SAML identity provider (Keycloak).

With version 8.3, everything works fine, but when I upgraded to version 8.4, I’ve got this error message :

...
2020.07.08 18:06:33 ERROR web[AXMvLzbkyA2zFrW/AAAF][c.o.s.a.SamlResponse] The response was received at https://my.private.machine:9000/sonarqube/oauth2/callback/saml instead of https://my.sonarqube.com/sonarqube/oauth2/callback/saml
...

So I checked out sources, and I saw this commit which change http scheme when SQ server is behind a reverse proxy server. But hostname and port are not affected by this update.

To fix that, I reconfigure my Nginx RP in add proxy_set_header Host $http_host; for the dedicated location.

Now it works but I think reverse proxy management design is weird. SQ use Tomcat which offers a prettier solution to configure reverse proxy.

I test it trough PR https://github.com/SonarSource/sonarqube/pull/3243 and it works for my installation.

Hi @Ripolin,
In your SQ instance, what is the value of sonar.core.serverBaseURL property? You can find it in Administration -> General Settings -> General -> Server base URL.

This property was correctly filled in my file sonar.properties :

...
#--------------------------------------------------------------------------------------------------
# CORE
sonar.core.serverBaseURL=https://my.sonarqube.com/sonarqube 
...

This property should NOT be set in sonar.properties, as doing so it won’t be taken into account correctly.

Only settings documented in sonar.properties should be defined, the other ones should be defined in the UI (see Michal’s message to find the correct place ) or by web service.

OK I configure sonar.core.serverBaseURL through UI and I restart SQ. Nothing change, without proxy_set_header Host $http_host; in the Nginx location, I got the message “The response was received at …” like above.

In my mind sonar.core.serverBaseURL could be deprecated cause when reverse proxy is fully configure through the Tomcat connector, it’s possible to retrieve the same information.

We will investigate your suggestion about Tomcat, I think you might have a point. But since the change would impact other SQ areas, perhaps we can first find a way to make your configuration work with current SQ.

Can you please post the value you’ve set for Valid Redirect URIs in Keycloak in your client settings?

On Keycloak, I have one url in Valid Redirect URIs : https://my.sonarqube.com/sonarqube/oauth2/callback/saml

I also try to add a second url https://my.private.machine:9000/sonarqube/oauth2/callback/saml for testing purpose but has no effect.

@Ripolin my solution/workaround to this (using Okta SAML) was to configure the ACS/Redirect URL to be the https address, but to modify the recipient (SP Entity ID) and destination URLs within the assertion to be the http/:9000 URL. Basically, configure the provider to talk through the https URL but within the assertion say it’s destined for the URL behind the reverse proxy.

Overriding Host header with reverse proxy hostname when proxy request is generated works for me. It seems there is multiple workarounds to fix that issue, but to me it would be better to use native proxy feature provide by Tomcat to fix it. I made an example in the PR https://github.com/SonarSource/sonarqube/pull/3243/commits