We need to expose our onpremise-hosted Sonarqube instance in order to be able to analyze builds that run on hosted agents (Azure DevOps). We would leverage a reverse proxy. In order to do this in a secure way, we would like to have some authentication on the connection. It seems however that some API methods are not authenticated and these are called before a token gets used (check version, get users, download jar file).
We’re currently analyzing 2 tracks:
- implement the unauthenticated calls in a static fashion on the reverse proxy in order to limit access/avoid misuse, setup a kind of whitelisting for subsequent calls from the same IP once authenticated
- use a SSL/SSH tunneling mechanism to create a secure/authenticated channel towards the reverse proxy which will then tunnel all calls (possibly with stunnel)
- Is there a way to deploy SonarQube which is more secure and acceptable to expose on Internet?
- Did anyone already implement such setup?
- Is there any effort to secure the sonarqube API?