Sonarqube 7.3 -> 7.9.6 upgrade issue: "response was received at <wrong URI>"

  • Versions used (SonarQube, Scanner, Plugin, and any relevant extension)
    upgrading from 7.3 to 7.9.6

  • Error observed (wrap logs/code around triple quote ``` for proper formatting)
    We were able to bring an instance running SonarQube 7.9.6 up, and we can access HTTP endpoints on the instance, but whenever an HTTPS request is made, EG https://sonar.devops.wepay-inc.com/admin, this error page is shown:

You're not authorized to access this page. Please contact the administrator.
Reason: The response was received at http://localhost:9000/oauth2/callback/saml instead of https://sonar.devops.wepay-inc.com/sessions/init/saml
  • Steps to reproduce
    using this sonar-qube.conf with nginx 1.20.4:
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}
# the server directive is nginx's virtual host directive
server {
  # port to listen on. Can also be set to an IP:PORT
  listen 443;

  # sets the domain[s] that this vhost server requests for
  server_name sonar.devops.wepay-inc.com;

  large_client_header_buffers 4 32k;

  access_log /var/log/nginx/access.log main;
  error_log /var/log/nginx/error.log;

  # SSL Configuration
  ssl on;
  ssl_certificate /etc/wepay/certs/star.devops.wepay-inc.com.crt;
  ssl_certificate_key /etc/wepay/certs/star.devops.wepay-inc.com.key;
  ssl_protocols TLSv1.2;
  ssl_session_timeout 1d;
  ssl_session_cache shared:SSL:2m;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!3DES:!IDEA:!RC2:!RC4;
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/ssl/dhparams.pem;

  keepalive_timeout 70;
  keepalive_requests 20;
  client_max_body_size 50M;
  client_body_buffer_size 128k;
  location / {
      proxy_pass          http://localhost:9000;
      proxy_set_header    X-Forwarded-Host $host;
      proxy_set_header    X-Forwarded-Server $host;
      proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header    X-Real-IP $remote_addr;
      proxy_read_timeout 1800;
      proxy_connect_timeout 1800;
      proxy_redirect         off;
      proxy_buffering off;
      proxy_http_version 1.1;
  }
}

Run the server with all other configuration matching that of the 7.3 server, and same DB. I Verified that the server was available locally by curling the status page:

curl http://0.0.0.0:9000/status
***returns valid HTML***
```, and could also visit the server homepage using a webbrowser

However, any attempt to access the service using HTTPS results in the error above.

Other setup info:
Sonar is deployed to a Google Compute VM instance, using a load balancer for routing of traffic from our subdomain.

We are using NGINX 1.20 as the reverse proxy on the VM

Hi @Sam_Gluss ,

Have you referenced the “HTTPS Configuration” section in our Operating the Server documentation? Scroll down and you’ll see an example of reverse proxy setup for Nginx:

# the server directive is Nginx's virtual host directive
server { 
 # port to listen on. Can also be set to an IP:PORT 
 listen 443 ssl;
 ssl_certificate ${path_to_your_certificate_file}
 ssl_certificate_key ${path_to_your_certificate_key_file}
 location / {
   proxy_pass ${address_of_your_sonarqube_instance_behind_proxy}
   proxy_set_header Host $host;
   proxy_set_header X-Forwarded-For $remote_addr;
   proxy_set_header X-Forwarded-Proto https;
 }
}

Note the usage of X-Forwarded-Proto https, please try adding that parameter and test again.

If it fails again, please do the following:

  • Log in as an admin
  • Change your Log Level to DEBUG (Administration > System > Log Level) - no need to restart SonarQube
  • Log out
  • Attempt login with a SAML user, expect a failure. Note the failure in the UI and take screenshot(s).
  • Log back in as admin and change log level back to INFO level
  • Zip your $SONARQUBE_HOME/logs/ directory
  • Please message me here once you have the ZIP file. We can do a private message thread next.

Regards,
Joe

EDIT: Additionally, please take screenshots of your SAML configurations in the UI, both from SonarQube UI (Administraton > Configuration > General Settings > SAML tab) and however you set up your SAML configuration on Identity Provider side. You can show those to me in a private thread.