SonarQube running as non-root behind a SSL reverse proxy
Last time we configured SonarQube to use a MySQL database, see SonarQube with MySQL 5.7.
SonarQube is still running as root (no reason to, it's using a port > 1024). We'll change that and make SonarQube listen on localhost behind a SSL reverse proxy for security reasons as well (company rule, everything has to be transmitted encrypted...).
Let's start with making SonarQube non-root. To do that we create a local group/user named sonar
and change some permissions in /opt/sonarqube-6.3.1.
# /opt/sonarqube-6.3.1/bin/solaris-sparc-64/sonar.sh stop
Stopping SonarQube...
Waiting for SonarQube to exit...
Stopped SonarQube.
# groupadd -g 9000 sonar
# useradd -u 9000 -g sonar -d /opt/sonarqube-6.3.1 -s /usr/bin/bash -m sonar
# passwd -N sonar
passwd: password information changed for sonar
# chown -R sonar:sonar /opt/sonarqube-6.3.1/{data,logs,temp} \
/opt/sonarqube-6.3.1/extensions/{downloads,plugins}
# perl -w -pi -e 's/#(sonar.web.host=).*$/${1}127.0.0.1/' /opt/sonarqube-6.3.1/conf/sonar.properties
# perl -w -pi -e 's@^(PIDDIR=").*$@${1}/opt/sonarqube-6.3.1/logs/"@' /opt/sonarqube-6.3.1/bin/solaris-sparc-64/sonar.sh
# su - sonar
$ /opt/sonarqube-6.3.1/bin/solaris-sparc-64/sonar.sh start
Starting SonarQube...
Started SonarQube.
$ tail -f /opt/sonarqube-6.3.1/logs/sonar.log
...
2017.04.28 10:04:59 INFO app[][o.s.application.App] SonarQube is up
Running a network reachable service as root only gets you into trouble anyway. ;)
Time to configure a SSL reverse proxy. We'll use Apache 2.2 for this because it's already installed.
Steps for creating a new SSL certificate/key with pktool can be found here How to create a SSL CA/certificate/key with pktool. Done that? Good.
# cp CA.crt /etc/apache2/2.2/server-ca.crt
# cp server.crt /etc/apache2/2.2/
# cp server.key /etc/apache2/2.2/
# chown webservd:webservd /etc/apache2/2.2/server*
# cat << 'EOF' > /etc/apache2/2.2/conf.d/ssl-sonar.conf
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
SSLCryptoDevice pkcs11
Listen XXX_REPLACE_WITH_YOUR_FQDN:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCipherSuite AESGCM:AES
SSLProxyCipherSuite AESGCM:AES
SSLHonorCipherOrder on
SSLProtocol TLSv1.2
SSLProxyProtocol TLSv1.2
SSLSessionCache "shmcb:/var/run/apache2/2.2/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/var/run/apache2/2.2/ssl_mutex"
ProxyRequests off
ProxyPreserveHost on
<VirtualHost _default_:443>
ServerName XXX_REPLACE_WITH_YOUR_FQDN
ServerAdmin webservd@XXX_REPLACE_WITH_YOUR_FQDN
SSLEngine on
SSLCompression off
SSLSessionTickets off
SSLCertificateFile "/etc/apache2/2.2/server.crt"
SSLCertificateKeyFile "/etc/apache2/2.2/server.key"
SSLCertificateChainFile "/etc/apache2/2.2/server-ca.crt"
Header always set Strict-Transport-Security "max-age=15768000"
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / https://XXX_REPLACE_WITH_YOUR_FQDN/
CustomLog "/var/apache2/2.2/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
EOF
# /usr/apache2/2.2/bin/apachectl -t
Syntax OK
# svcadm enable svc:/network/http:apache22
Our SonarQube instance is now running as non-root and is reachable via https only.
# tail -f /var/apache2/2.2/logs/ssl_request_log [28/Apr/2017:10:47:03 +0200] x.x.x.x TLSv1.2 AES256-GCM-SHA384 "GET / HTTP/1.1" 480 [28/Apr/2017:10:47:03 +0200] x.x.x.x TLSv1.2 AES256-GCM-SHA384 "GET /css/sonar.175ebec8.css HTTP/1.1" 36489 ...
Compliance? Check!
No comments:
Post a Comment