Sonarqube behind https proxy with X_FORWARDED_PROTO - sonarqube

What I want to achieve:
Browser -> Apache (https) -> Sonarqube (http)
Problem:
Location header from Sonar is http://.., so accessing
https://trm.tine.no/sonar
redirects to
http://trm.tine.no/sonar
I have folllowed the instructions for standard reverse proxy infrastructure as described here:
http://docs.sonarqube.org/display/SONAR/Running+SonarQube+Over+HTTPS
ProxyPreserveHost On
ProxyRequests Off
..
.. SSL config goes here
..
RequestHeader set X-Forwarded-Proto "https"
#SONAR related configurations
AllowEncodedSlashes NoDecode
ProxyPass /sonar http://<my.ip>:9000/sonar disablereuse=On nocanon
ProxyPassReverse /sonar http://<my.ip>:9000/sonar
I have verfied the X-Forwarded-Proto header by proxying Nexus (which also relies on X-Forwarded-Proto), and this works as expected.
curl confirms the Location header as http, not https
curl -I https://trm.tine.no/sonar
HTTP/1.1 302 Found
Date: Wed, 21 Oct 2015 13:49:39 GMT
Server: Apache-Coyote/1.1
Location: http://trm.tine.no/sonar/
Transfer-Encoding: chunked
Wondering what I might be missing, or if this is an actual bug?
Running Sonarqube 5.1.1
Solution
The proposed solution from #kraal did not have any effect for us, but if you append / to the URI it works.
E.g.
curl -I https://trm.tine.no/sonar
HTTP/1.1 302 Found
Date: Thu, 22 Oct 2015 10:53:23 GMT
Server: Apache-Coyote/1.1
Location: http://trm.tine.no/sonar/
Transfer-Encoding: chunked
As we can see, Location is still set to http, but the following works (note the / at the end)
curl -I https://trm.tine.no/sonar/
HTTP/1.1 302 Found
Date: Thu, 22 Oct 2015 10:53:25 GMT
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Location: https://trm.tine.no/sonar/sessions/new
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=utf-8
Content-Length: 104
Set-Cookie: JSESSIONID=A8B19F73D93B35BCA24F019EEB848666; Path=/sonar/; HttpOnly
So there seems to be something happening when Sonar redirects to /sonar/sessions/new (the login page), which behaves differently from /sonar/ to /sonar
Appending the / to the URI is a workaround which works for us.

The issue is probably due to your ProxyPassReverse. Here follows an excerpt from our configuration (with apache < 2.2.18):
<VirtualHost *:443>
# https and port are specified in order to make sure that the server generates the correct
# self-referential URLs.
ServerName https://visiblehost:443
# ... SSL and other configuration here
# ProxyRequests must be set to "off" as we use Apache as a reverse proxy.
ProxyRequests Off
# ProxyPreserveHost must be set to "on" in order to pass the Host: line from the incoming request to the
# proxied host, instead of the hostname specified in the ProxyPass line.
ProxyPreserveHost On
# AllowEncodedSlashes must be set to "on" in order to preserve urls built by SonarQube which include
# encoded slashes. Once we upgrade to Apache 2.2.18, the property will need to be set to "NoDecode".
AllowEncodedSlashes On
# Some RequestHeaders must be set in order for the headers to have the right value required for https
# communications.
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
# ProxyPass defines that Apache communicates with SonarQube using ajp protocol
# and that no canonalization has to be done.
# ReverseProxyPass defines that https communications are only done between client
# and Apache.
ProxyPass /sonar ajp://hiddenhost:port/sonar nocanon
ProxyPassReverse /sonar https://visiblehost/sonar
</VirtualHost>
As you can see, on the one hand, ProxyPassReverse defines that https communications have to be done between users and the reverse proxy on /sonar context root. The specified URL is the Apache URL that is "visible" to users.
On the other hand ProxyPass defines that Apache sends all trafic on /sonar to a "hidden" URL. In our case we use AJP protocol in order to make sure that this URL is not accessible directly, but if you're using http the configuration should be similar (replace ajp with http).
Hope it helps,
Michel

(For anyone who stumbles on this post, I posted a similar problem in the google group: https://groups.google.com/forum/#!topic/sonarqube/mztZGAvG_I0 and was notified off this post by a replyer, it was not my intention to cause duplication)
Regarding the fix that works for you by changing the trailing slashes, sadly this did not work for me (I already appended them) Removing them does also not work.

In my case with Apache 2.4 and Sonarqube 8.0 I solved with:
<Location /sonarqube>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
ProxyPreserveHost On
ProxyPass http://192.168.10.15:9000/sonarqube
ProxyPassReverse http://192.168.10.15:9000/sonarqube
</Location>

Related

modify HTTP_CF_CONNECTING_IP showing proxy IP instead true IP

I setup ProxyPass & ProxyPassReverse. But the website I need to access still detect my real IP (my ISP IP) instead my proxy server IP. What I notice is HTTP_CF_CONNECTING_IP showing my real IP. Is there a way to modify so that it detect my proxy server IP.
I unset the X-Forwarded-For and able to change the IP except HTTP_CF_CONNECTING_IP
SSLProxyEngine On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyVerify none
SSLProxyCheckPeerName off
ProxyRequests On
ProxyAddHeaders Off
ProxyPass / https://otherwebsite.com/
ProxyPassReverse / https://otherwebsite.com/
ProxyPassReverseCookiePath / /
ProxyPassReverseCookieDomain .otherwebsite.com .myproxy.com
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s/otherwebsite.com/myproxy.com/ni"
RequestHeader unset Accept-Encoding
RequestHeader unset X-Forwarded-For

How to configure a Pyramid application behind Apache HTTPS Proxy

I have a Pyramid application running on an internal server using mod_wsgi-express. The address internally is http://172.31.15.111:6543/myapp/
I want to make it available externally using Proxy and SSL. So I have the following Apache configuration:
<VirtualHost *:443>
ServerName myapp.org
ProxyRequests Off
ProxyPreserveHost On
# proxy pass /myapp to the internal:6543/myapp
ProxyPass /myapp http://172.31.15.111:6543/myapp/
ProxyPassReverse /myapp http://172.31.15.111:6543/myapp/
<Proxy *>
allow from all
</Proxy>
ProxyTimeout 1200
</VirtualHost>
The problem that I have is that when I use "request.route_url()" or "request.host_url" it resolves to HTTP and not to HTTPS.
I am using Waitress with the following configuration:
[server:main]
use = egg:waitress#main
listen = localhost:6543
I tried also:
[server:main]
use = egg:waitress#main
#listen = localhost:6543
host = 172.31.15.111
port = 6543
url_scheme = https
I also tried having request headers in apache:
RequestHeader set X-Forwarded-Port 443
RequestHeader set X-Forwarded-Scheme https
But I get the same result. Any idea how to resolve it is highly appreciated.

Spring Redirect Command Redirects to Localhost under Load Balancer

I have a Java web app built with Spring MVC running on Tomcat proxied with Apache Httpd running on an EC2 instance at AWS and configured a load balancer with SSL.
The request
https://some_domain/first_uri
first goes to load-balancer, load-balancer redirects the connection to Apache as (https to http because SSL is configured for the load-balancer)
http://some_domain/first_uri
Apache redirects to the localhost (Tomcat).
When the controller for "/first_uri" makes a redirect like
redirect:https://sub.some_domain/some_uri
I see the result at browser as
https://localhost/first_uri
I just couldn't figure out what I must configure here, configure the Spring? configure the Apache HTTPD or the Load Balancer?
If someone faced the same issue please help.
Not: Also using Spring Security.
Not2: I just tried without SSL (using http) and the same thing happens, I think this is not related to the https usage.
Update: This problem may occur only where I try to redirect to a subdomain
The following worked for me:
In tomcat server.xml:
(mostly at /opt/tomcat/conf/server.xml)
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
proxyName="localhost"
proxyPort="443"
scheme="https"/>
Here proxyName is "localhost".
Change proxyName to your required domain.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
proxyName="mydomain.com"
proxyPort="443"
scheme="https"/>
Refer: http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#Proxy_Support
Solution: ProxyPreserveHost must be turned off!
Reason: If it is switched on, the response headers returned by the proxy backend will contain “localhost” or the real domain without the port number (or 80). So the ProxyPassReverse pattern does not match (because of the different port and if another domain name is used, also the domain name will not match).
Config:
<VirtualHost localhost:80>
ProxyPreserveHost Off
ProxyPass / http://localhost:8080/WebApp/
ProxyPassReverse / http://localhost:8080/WebApp/
</VirtualHost>
But this works only via http, not via ajp (I don’t know why).
If you still want to use ajp you could use the following workaround - Let Apache do another redirect after the wrong redirect:
<VirtualHost localhost:80>
ProxyPass /WebApp !
ProxyPass / ajp://localhost:8009/WebApp/
ProxyPassReverse / ajp://localhost:8009/WebApp/
RedirectMatch 301 ^/WebApp/(.*)$ /$1
RedirectMatch 301 ^/WebApp$ /
</VirtualHost>
The ProxyPass /WebApp ! directive is needed to exclude the path from further processing in mod_proxy (because proxy directives are evaluated before redirect directives)
Then the RedirectMatch directives redirect everything stating with /WebApp/... respectively /WebApp to the URL without /WebApp at the beginning.
The only drawback is that you must not have any sub folder named WebApp in your web application
After viewing this answer, I set the below setting on my httpd.conf (at the end of the document):
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
And after that configuration, spring started to redirect to the proper domain again :) I hope this will help to many like me, thanks to all!

Jboss EAS + Apache mod_proxy don't load image

I created a web application that runs on a ubuntu server with JBoss EAS 6.2 and Apache2 with mod_proxy enabled, but when I open the page in the browser, the images do not load.
This is my Apache configs:
<VirtualHost *:*>
ProxyRequests On
ProxyPreserveHost On
ProxyPass / http://pegabuzz.com:8080
ProxyPassReverse / http://pegabuzz.com:8080
ServerName pegabuzz.com
<Location />
Order deny,allow
Allow from All
</Location>
</VirtualHost>
What can I do?
EDIT 2:
In the browser console, I get this:
Failed to load resource: the server responded with a status of 502
(Proxy Error)
The path is:
http://pegabuzz.com/images/pegabuzz_site.jpg
The site URL:
pegabuzz.com
It looks that you have missed the trailing bar after the server port on your ProxyPass and ProxyPassReserves directives.
Try using:
ProxyPass / http://pegabuzz.com:8080/
ProxyPassReverse / http://pegabuzz.com:8080/
Because your server return an error during the DNS query:
Reason: DNS lookup failure for: pegabuzz.com:8080images
Please see what URL it creates for images with help of Firebug plugin in Firefox.
Thing which you need to focus would be missing slashes or path in the URL.

Apache & Tomcat: ProxyPass and ProxyPassReverse

I'am having troubles configuring Apache and Tomcat, this is the scenario:
I have an Apache Web Server, running and working normally, I can access to this one just typing:
http://localhost
Also, in this host, I have a Tomcat running and working fine; I've created a mini web-app which files are inside "prueba" directory, I can access typing:
http://localhost:8080/prueba
(I know that Apache is running in 80 port and Tomcat in 8080)
What I want to do is that througt Apache an user can access to 'pruebas'(running on Tomcat), I mean:
http://localhost/prueba
I've readen a lot of this, and I think that there are 2 ways to do this, and I've decided enabling the proxy modules(proxy and proxy_ajp, with a2enmod), also I've readed I must edit this file: sites-available/default, this is the content:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName 127.0.0.1
DocumentRoot /var/www
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /static/ !
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
.
.
.
Alias /static/ "/apache/www/"
</VirtualHost>
But this hasn't work propperly :(
I have to say that I've tried whit many changes, ont this 2 lines, like:
ProxyPass /prueba ajp://localhost:8009/prueba
ProxyPassReverse /prueba ajp://localhost:8009/prueba
or
ProxyPass / ajp://localhost:8009/prueba
ProxyPassReverse / ajp://localhost:8009/prueba
(each time I edit the file, I restart apache)
But when I access to [http://localhost/prueba/], I have:
Service Temporarily Unavailable
Has anyone knows why?
Thanks in advance guys.
Pd: I'm working with apache 2.2.17 and tomcat6.
You have to put
ProxyPass / ajp://localhost:8009/
ProxyPassReverse / ajp://localhost:8009/
on your apache virtual host
Then you have to uncomment ajp listener in tomcat
<Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />
Then you have to configure host and context path in server.xml
REFF:
http://www.ntu.edu.sg/home/ehchua/programming/howto/ApachePlusTomcat_HowTo.html
Hope this will help you..
ProxyPassReverse defines the URL Apache httpd should rewrite the URLs to, which would redirect to the proxied (hidden) URL. Because of this, you should change your ProxyPassReverse line to something like this:
ProxyPassReverse / http://localhost/prueba/
See also: http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html#usage
Try this:
ProxyPass /prueba/ http://localhost:8009/prueba/
ProxyPassReverse /prueba/ http://localhost:8009/prueba/
and then hit the following URL from browser: http:// localhost/prueba/
note: it is mandatory to add "/prueba/"
Service not available might be coming due to SELinux ,try disabling SE Linux : setenforce 0
you may try adding:
ProxyPreserveHost On
From the documentation:
"When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line.
This option should normally be turned Off. It is mostly useful in special configurations like proxied mass name-based virtual hosting, where the original Host header needs to be evaluated by the backend server."
You stated: I can access typing:
http://localhost:8080/prueba
but the following does not work:
ProxyPass /prueba/ http://localhost:8009/prueba/
8080 != 8009
make sure your port numbers are the same
Port 8009 is Tomcat so use ajp instead of http
ProxyPass /prueba/ ajp://localhost:8009/prueba/
ProxyPassReverse /prueba/ ajp://localhost:8009/prueba/

Resources