Prevent access to SonarQube directly through ec2 public IP and DNS

tanle · June 8, 2022, 4:53am

Must-share information (formatted with Markdown):

which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) * Community Edition
Version 9.4 (build 54424)
I am trying to only allow access to SonarQube through AWS Cloud Front, I have set a custom header that cloud front will send to SonarQube
i have put these in the bitnami.conf file
RewriteEngine On
RewriteCond %{HTTP:X-CF-Signature} !^$
RewriteRule ^ - [F]

It seem to have done nothing so I am wondering if anyone can help point me to the right direction/file to modify.

ganncamp · June 8, 2022, 11:56am

Hi,

Welcome to the community!

Could you give a little more detail on what you’re trying to achieve? What do you expect SonarQube do to with this custom header?

Ann

tanle · June 9, 2022, 1:18am

Hi G Ann,

Apologies for my unclear question

Okay so basically I have the latest SonarQube running on an EC2 server.

The ec2 provides public IP and DNS that you can use to access it, but only through HTTP
To use HTTPS with a certificate I put Cloudfront in front of the SonarQube server and routed all traffic to HTTPS, which all works fine.
However user can still access SonarQube directly using the Public IP and DNS provided by the EC2, by passing CloudFront which I don’t want.
So now I got CloudFront to send a custom Header every time it call the SonarQube server. X-CF-Signiture.
On the SonarQube Apache server I need to check that this X-CF-Signiture header exist, if it doesn’t i want to throw a 403 as a security measure.

With Enginx i can do something like this for example:

if ($http_x_custom_header) {
    return 403;
}

What is the equivalent in Apache?

Thank you for your time.

ganncamp · June 9, 2022, 11:41am

Hi,

SonarQube just isn’t set up to do this. It’s not a use case we’ve considered & there’s no support in the app for that. So I really can’t tell you how to proceed.

Ann

Hendrik_Buchwald · June 9, 2022, 12:02pm

Hello,

I assume your Apache is a reverse proxy? In that case, what prevents you from using Nginx as a reverse proxy?

If you want to prevent access to SonarQube directly (so without the reverse proxy) you can bind it to localhost with sonar.web.host=127.0.0.1. This way only the reverse proxy on the same host can access SonarQube directly.

Topic		Replies	Views
Secure Sonarqube instance with Cloudflare Access SonarQube Server / Community Build security , administration	6	1937	January 17, 2024
HTTPS setup and working around a vulirablity Plugin Development security	5	35	March 10, 2025
How to enable cors in sonar server SonarQube Server / Community Build	3	3881	April 7, 2022
Support Cloudflare Zero Trust Service Tokens in the CLI Scanner Product Manager for a Day sonarqube , authentication	2	1432	December 13, 2023
HTTP Headers Authentication SonarQube Server / Community Build	2	511	July 21, 2020

Prevent access to SonarQube directly through ec2 public IP and DNS

Related topics