SonarQube Saml IdentifyProvider class does not respect proxy port

SonarQube
,
1

SQ Version 8.8

I configured Sonarqube behind proxy with https proxy on port 9443 not 443 (see below)
The successful saml authentication flows to https://my.host.com:9443/oauth2/callback/saml.
But sonarqube returns error:

You’re not authorized to access this page. Please contact the administrator.

Reason: The response was received at https://my.host.com/oauth2/callback/saml instead of https://my.host.com:9443/oauth2/callback/saml

The code check of the Identify Provider does not show any handling of proxy port information:

Steps to reproduce:

  1. Configure Sonarqube on port 9000
  2. Configure https Nginx Proxy on 9443 (see nginx config below)
  3. Confgure Sonarqube server base url to https://my.host.com:9443
  4. Configure Saml authentication

Expected Result: Saml works
Actual Result: SQ Saml does not respect the provided proxy port X-Forwarded-Port and assume 443 port

server {
# listen 443 ssl spdy;
listen 443 ssl http2;
# listen [::]:443 ssl spdy;
listen [::]:443 ssl http2;
server_name localhost;

	ssl_certificate /etc/nginx/certs/localhost.crt;
	ssl_certificate_key /etc/nginx/certs/private.key;

	#charset koi8-r;
	#access_log  /var/log/nginx/host.access.log  main;

	proxy_http_version  1.1;
	proxy_cache_bypass  $http_upgrade;
	
	proxy_set_header Upgrade           $http_upgrade;
	proxy_set_header Connection        "upgrade";
	
	proxy_set_header X-Forwarded-Proto $scheme;



	location / {
		proxy_pass http://sonar-data:9000;

                    # Proxy headers
		proxy_set_header Upgrade           $http_upgrade;
		proxy_set_header Connection        "upgrade";
		proxy_set_header Host              $host;
		proxy_set_header X-Real-IP         $remote_addr;
		proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host  $host;
		proxy_set_header X-Forwarded-Port  $server_port;
	}

}

2

Hey there.

In its current state, does your Host header include the port (9443)? This appears to be optional but valid, and should kick things into place.

FWIW I’m not sure the example you gave is the one you think you did – as I don’t see any reference to port 9443 (only 443).

3

Hello Colin,

thanks for the reply.

Example: You are right I did a mistake in the description of the issue.
The config I used is correct with listen 9443. My config is:

server {
listen 9443 ssl http2;
listen [::]:9443 ssl http2;
server_name localhost;

Port: Yes the port information in a url is optional. But if not provided the default protocol port is used. In case of https, the default port is 443. As result if a code does not provide a port, it means 443 and not the from the proxy provided 9443.

What is the process to get a fix for the sonarqube code?

4

Hold your horses. :slight_smile: I meant the HOST header itself. If you are always using port 9443, why not some configuration like this?

proxy_set_header Host $host:$server_port;

In my testing, this worked when using SAML and SonarQube on a non-standard port without any other side effects.