How to run SonarQube over HTTPS without a reverse proxy

sonarqube

(cap) #1

Hello,

We are using SonarQube 7.0 and try to run it over HTTPS.
Is this possible by configuring only the application, without building a standard reverse proxy infrastructure ?

Thanks for your help

Regards
Sabrina


(Colin Mueller) #2

No, and you really wouldn’t want it to be! Imagine there was built in support for providing HTTPS through Tomcat (as there once was) and a vulnerability popped up in Tomcat. You would have to wait on us to release a fix with the updated dependency, instead of fixing it yourself. Painful for everybody involved.

Colin


(Sobral) #3

Thank you for your answer @ColinHMueller.
Maybe the answer will be the same but currently what we wanted to do with our infrastructure looks like the following :

Do you confirm this is not possible ?


(Colin Mueller) #4

Sobral,

I think you are describing… what a reverse proxy does. See this blog post describing SSL/IIS/SonarQube. https://jessehouwing.net/sonarqube-configure-ssl-on-windows/

Colin


(Sobral) #5

Thanks I understand but that is exactly the point. Our team security wants https on both sides : in reverse proxy AND in back end sonarqube server. Do you confirm sonarqube cannot handle https for himself/alone ?


(Colin Mueller) #6

I think the most generic and correct answer I can give is that SonarQube does not natively “support” HTTPS (“support” is an intentionally fuzzy word as SonarQube definitely knows when it’s serving traffic over HTTPS, for example to add the “Secure” flag to cookies). This is all delegated to a reverse proxy.


(Sobral) #7

Ok @ColinHMueller. Thanks a lot.