Hello,
We are using SonarQube 7.0 and try to run it over HTTPS.
Is this possible by configuring only the application, without building a standard reverse proxy infrastructure ?
Thanks for your help
Regards
Sabrina
No, and you really wouldn’t want it to be! Imagine there was built in support for providing HTTPS through Tomcat (as there once was) and a vulnerability popped up in Tomcat. You would have to wait on us to release a fix with the updated dependency, instead of fixing it yourself. Painful for everybody involved.
Colin
1 Like
Thank you for your answer @Colin.
Maybe the answer will be the same but currently what we wanted to do with our infrastructure looks like the following :
- Step 1 : Client Browser connect to https (ex : https://mysonar.mycompany/)
- Step 2 : Reverse proxy IIS redirect to sonarQube running on https (redirect https://mysonar.mycompany/ to https://mylocalsonar on a particular server)
- Step 3 : on a particular server sonar runs with https
Do you confirm this is not possible ?
Sobral,
I think you are describing… what a reverse proxy does. See this blog post describing SSL/IIS/SonarQube. https://jessehouwing.net/sonarqube-configure-ssl-on-windows/
Colin
Thanks I understand but that is exactly the point. Our team security wants https on both sides : in reverse proxy AND in back end sonarqube server. Do you confirm sonarqube cannot handle https for himself/alone ?
I think the most generic and correct answer I can give is that SonarQube does not natively “support” HTTPS (“support” is an intentionally fuzzy word as SonarQube definitely knows when it’s serving traffic over HTTPS, for example to add the “Secure” flag to cookies). This is all delegated to a reverse proxy.
Ok @Colin. Thanks a lot.