We’ve been running SonarQube 8.0 for about a year using the SAML integration for auth (with CA Siteminder as our IDP). When trying to update to 8.7 recently, we saw this error on the ACS redirect from the IDP (names changed to protect the innocent):
The response was received at https://sonarqube.private.backend.hostname/oauth2/callback/saml instead of https://sonarqube.public.frontend.hostname/oauth2/callback/saml
Looking through other topics I see this is a fairly common complaint with 8.4+, and others have solved their issues by setting ProxyPreserveHost or similar. In our case there are actually (at least) two proxies involved (gotta love enterprise IT):
- an in-house reverse proxy behind that public hostname’s IP that’s proxying the request to the backend hostname
- OpenShift’s HAProxy router, which uses the backend hostname to map the request to the Kubernetes pod running SonarQube.
We can’t change proxy #1 to send the original public Host header, because proxy #2 is using the private hostname for its routing decisions, and we can’t (so far as I can tell) configure proxy #2 to change the Host back to the public one after it picks the right route.
As an experiment to confirm I understand what’s going on I bolted an nginx sidecar onto our SonarQube pod whose entire purpose in life is to act as YET ANOTHER reverse proxy (it’s proxies all the way down!) that just restores the public hostname in the Host header on its way to SonarQube, and that does indeed fix the problem. If all else fails this might be a viable temporary band-aid, but it pains me.
Looking through the sonarqube source I see this bit where it’s patching in the X-Forwarded-Proto to handle the https vs http fail-case I see referenced in other topics:
This method is cobbling together a faux request object that’s passed to the SAML lib that’s actually generating the error. What I’m wondering is if this can be additionally modified to swap the Host for the value, if present, of X-Forwarded-Host, or the host section of Forwarded.
Good idea, bad idea, entirely on the wrong track? Better/smarter/faster way of doing what I’m trying to do? Any suggestions appreciated!