Prevent access to SonarQube directly through ec2 public IP and DNS

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) * Community Edition
  • Version 9.4 (build 54424)
  • I am trying to only allow access to SonarQube through AWS Cloud Front, I have set a custom header that cloud front will send to SonarQube
  • i have put these in the bitnami.conf file
    RewriteEngine On
    RewriteCond %{HTTP:X-CF-Signature} !^$
    RewriteRule ^ - [F]

It seem to have done nothing so I am wondering if anyone can help point me to the right direction/file to modify.


Welcome to the community!

Could you give a little more detail on what you’re trying to achieve? What do you expect SonarQube do to with this custom header?


Hi G Ann,

Apologies for my unclear question :slight_smile:

Okay so basically I have the latest SonarQube running on an EC2 server.

  • The ec2 provides public IP and DNS that you can use to access it, but only through HTTP
  • To use HTTPS with a certificate I put Cloudfront in front of the SonarQube server and routed all traffic to HTTPS, which all works fine.
  • However user can still access SonarQube directly using the Public IP and DNS provided by the EC2, by passing CloudFront which I don’t want.
  • So now I got CloudFront to send a custom Header every time it call the SonarQube server. X-CF-Signiture.
  • On the SonarQube Apache server I need to check that this X-CF-Signiture header exist, if it doesn’t i want to throw a 403 as a security measure.

With Enginx i can do something like this for example:

if ($http_x_custom_header) {
    return 403;

What is the equivalent in Apache?

Thank you for your time.


SonarQube just isn’t set up to do this. It’s not a use case we’ve considered & there’s no support in the app for that. So I really can’t tell you how to proceed. :frowning:



I assume your Apache is a reverse proxy? In that case, what prevents you from using Nginx as a reverse proxy?

If you want to prevent access to SonarQube directly (so without the reverse proxy) you can bind it to localhost with This way only the reverse proxy on the same host can access SonarQube directly.

1 Like