SonarQube running as non-root behind a SSL reverse proxy
Last time we configured SonarQube to use a MySQL database, see SonarQube with MySQL 5.7.
SonarQube is still running as root (no reason to, it's using a port > 1024). We'll change that and make SonarQube listen on localhost behind a SSL reverse proxy for security reasons as well (company rule, everything has to be transmitted encrypted...).
Let's start with making SonarQube non-root. To do that we create a local group/user named sonar
and change some permissions in /opt/sonarqube-6.3.1
.
# /opt/sonarqube-6.3.1/bin/solaris-sparc-64/sonar.sh stop Stopping SonarQube... Waiting for SonarQube to exit... Stopped SonarQube. # groupadd -g 9000 sonar # useradd -u 9000 -g sonar -d /opt/sonarqube-6.3.1 -s /usr/bin/bash -m sonar # passwd -N sonar passwd: password information changed for sonar # chown -R sonar:sonar /opt/sonarqube-6.3.1/{data,logs,temp} \ /opt/sonarqube-6.3.1/extensions/{downloads,plugins} # perl -w -pi -e 's/#(sonar.web.host=).*$/${1}127.0.0.1/' /opt/sonarqube-6.3.1/conf/sonar.properties # perl -w -pi -e 's@^(PIDDIR=").*$@${1}/opt/sonarqube-6.3.1/logs/"@' /opt/sonarqube-6.3.1/bin/solaris-sparc-64/sonar.sh # su - sonar $ /opt/sonarqube-6.3.1/bin/solaris-sparc-64/sonar.sh start Starting SonarQube... Started SonarQube. $ tail -f /opt/sonarqube-6.3.1/logs/sonar.log ... 2017.04.28 10:04:59 INFO app[][o.s.application.App] SonarQube is up
Running a network reachable service as root only gets you into trouble anyway. ;)
Time to configure a SSL reverse proxy. We'll use Apache 2.2 for this because it's already installed.
Steps for creating a new SSL certificate/key with pktool
can be found here How to create a SSL CA/certificate/key with pktool. Done that? Good.
# cp CA.crt /etc/apache2/2.2/server-ca.crt # cp server.crt /etc/apache2/2.2/ # cp server.key /etc/apache2/2.2/ # chown webservd:webservd /etc/apache2/2.2/server* # cat << 'EOF' > /etc/apache2/2.2/conf.d/ssl-sonar.conf SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 SSLCryptoDevice pkcs11 Listen XXX_REPLACE_WITH_YOUR_FQDN:443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLCipherSuite AESGCM:AES SSLProxyCipherSuite AESGCM:AES SSLHonorCipherOrder on SSLProtocol TLSv1.2 SSLProxyProtocol TLSv1.2 SSLSessionCache "shmcb:/var/run/apache2/2.2/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/var/run/apache2/2.2/ssl_mutex" ProxyRequests off ProxyPreserveHost on <VirtualHost _default_:443> ServerName XXX_REPLACE_WITH_YOUR_FQDN ServerAdmin webservd@XXX_REPLACE_WITH_YOUR_FQDN SSLEngine on SSLCompression off SSLSessionTickets off SSLCertificateFile "/etc/apache2/2.2/server.crt" SSLCertificateKeyFile "/etc/apache2/2.2/server.key" SSLCertificateChainFile "/etc/apache2/2.2/server-ca.crt" Header always set Strict-Transport-Security "max-age=15768000" ProxyPass / http://127.0.0.1:9000/ ProxyPassReverse / https://XXX_REPLACE_WITH_YOUR_FQDN/ CustomLog "/var/apache2/2.2/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> EOF # /usr/apache2/2.2/bin/apachectl -t Syntax OK # svcadm enable svc:/network/http:apache22
Our SonarQube instance is now running as non-root and is reachable via https only.
# tail -f /var/apache2/2.2/logs/ssl_request_log [28/Apr/2017:10:47:03 +0200] x.x.x.x TLSv1.2 AES256-GCM-SHA384 "GET / HTTP/1.1" 480 [28/Apr/2017:10:47:03 +0200] x.x.x.x TLSv1.2 AES256-GCM-SHA384 "GET /css/sonar.175ebec8.css HTTP/1.1" 36489 ...
Compliance? Check!
No comments:
Post a Comment