Sonar behind http proxy Nginx failed to enable ALM Integration with gitlab in https protocal

SonarQube Server / Community Build
1

Template for a good false-positive report, formatted with Markdown:

  • versions used SonarQube Server: LTS 8.9 Community
  • minimal code sample to reproduce (with analysis parameter, and potential instructions to compile).
  1. Setup Sonar CE instance, service URL: http://10.96.1.1:9000
  2. Setup Nginx proxy:
#### NGINX Conf #####
upstream sonar_servers {
    server 10.96.1.1:9000;
  }
  server {
    listen 80;
    listen 443 ssl;    
    server_name mycom.com.net;

    ssl_certificate ../ssl/xxx.pem;
    ssl_certificate_key ../ssl/xxx.key;
    access_log logs/sonar_access.log;
    error_log logs/sonar_error.log;
    location / {
        proxy_pass http://sonar_servers;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
    }    
  }
  1. Config Server base URL as https://mycom.com
  2. Setup gitlab application by following 8.9 document instruction

when accessing https://mycom.com, below http issue:

Request URL: https://mycom.com/oauth2/callback/gitlab?code=ac6b6eb197b91e40dcc4d3cea30f26e3bc29d52e9068d97057a998de8abc53a6&state=linq87mpstorb164e4kviu7mff
Request Method: GET
Status Code: 302 
Remote Address: 121.201.35.8:443
Referrer Policy: strict-origin-when-cross-origin
GET /oauth2/callback/gitlab?code=ac6b6eb197b91e40dcc4d3cea30f26e3bc29d52e9068d97057a998de8abc53a6&state=linq87mpstorb164e4kviu7mff HTTP/1.1
Host: sonar.xuebangsoft.net
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
sec-ch-ua: " Not;A Brand";v="99", "Google Chrome";v="91", "Chromium";v="91"
sec-ch-ua-mobile: ?0
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,zh-TW;q=0.7
Cookie: gr_user_id=d5b5a1cb-dc3b-4ff0-8e09-c9a1c531a081; XSRF-TOKEN=m2dvfr2lbp90s9u337qo0ms2h7; JWT-SESSION=eyJhbGciOiJIUzI1NiJ9.eyJsYXN0UmVmcmVzaFRpbWUiOjE2MjI2MzE3NTg0NjAsInhzcmZUb2tlbiI6Im0yZHZmcjJsYnA5MHM5dTMzN3FvMG1zMmg3IiwianRpIjoiQVhuTVk3cDY5Nk5iaTRqaTQyOVYiLCJzdWIiOiJhZG1pbiIsImlhdCI6MTYyMjYzMTc1OCwiZXhwIjoxNjIyODkwOTU4fQ.goWTFL3z2Y5MuCj4YZMORYEFi8pf3SHZVoRFjJYpRe4; OAUTHSTATE=244f9e91ffba85d4ac71745b3533ad5d46ec73b1712296f7eecb564097251253
```
```
HTTP/1.1 302
Server: Tengine/2.3.0
Date: Wed, 02 Jun 2021 11:03:11 GMT
Content-Length: 0
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Set-Cookie: XSRF-TOKEN=lia2iql9a510p480dsrj9mbqcd; Max-Age=259200; Expires=Sat, 05-Jun-2021 11:03:11 GMT; Path=/; Secure
Set-Cookie: JWT-SESSION=eyJhbGciOiJIUzI1NiJ9.eyJsYXN0UmVmcmVzaFRpbWUiOjE2MjI2MzE3OTE4NDgsInhzcmZUb2tlbiI6ImxpYTJpcWw5YTUxMHA0ODBkc3JqOW1icWNkIiwianRpIjoiQVhuTVpEem45Nk5iaTRqaTQyOVgiLCJzdWIiOiJBWG5MckFuMlc0WXFLYTY1QzdlNCIsImlhdCI6MTYyMjYzMTc5MSwiZXhwIjoxNjIyODkwOTkxfQ.gtJKJMq-HF81wYOEZzUvJhLjh6q5BAy703Veeh2fhuM; Max-Age=259200; Expires=Sat, 05-Jun-2021 11:03:11 GMT; Path=/; Secure; HttpOnly
Set-Cookie: AUTH-PARAMS=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Location: http://mycom.com/
```
2

Please note the 302 location is “http://mycom.com/” instead of “https://mycom.com/

3

Hello, is there anyone can fix this issue?

4

Hey, had the same issue and this helped me : https://groups.google.com/g/sonarqube/c/9an4MWxfMwY

Seems like you have to remove the Host header line in your nginx conf.

5

I just tried but still failed. here is my solution:

server {

    listen 443 ssl;    
    server_name xxxxx;
    large_client_header_buffers 4 32k;
    client_max_body_size 1024m;
    ssl_certificate ../ssl/xxxxx.pem;
    ssl_certificate_key ../ssl/xxxxx.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    #add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-Xss-Protection 1;
    add_header Strict-Transport-Security max-age=31536000;
    access_log logs/t_sonar_access.log;
    error_log logs/t_sonar_error.log;

    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

   

    location / {
        proxy_pass http://t_sonar_servers;
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Forwarded "$proxy_add_forwarded;proto=https";
        proxy_connect_timeout 300s;
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;
    }

  }