Friday, April 28, 2017

SonarQube running as non-root behind a SSL reverse proxy

SonarQube running as non-root behind a SSL reverse proxy

Last time we configured SonarQube to use a MySQL database, see SonarQube with MySQL 5.7.

SonarQube is still running as root (no reason to, it's using a port > 1024). We'll change that and make SonarQube listen on localhost behind a SSL reverse proxy for security reasons as well (company rule, everything has to be transmitted encrypted...).

Let's start with making SonarQube non-root. To do that we create a local group/user named sonar and change some permissions in /opt/sonarqube-6.3.1.

# /opt/sonarqube-6.3.1/bin/solaris-sparc-64/sonar.sh stop
Stopping SonarQube...
Waiting for SonarQube to exit...
Stopped SonarQube.

# groupadd -g 9000 sonar
# useradd -u 9000 -g sonar -d /opt/sonarqube-6.3.1 -s /usr/bin/bash -m sonar
# passwd -N sonar
passwd: password information changed for sonar

# chown -R sonar:sonar /opt/sonarqube-6.3.1/{data,logs,temp} \
  /opt/sonarqube-6.3.1/extensions/{downloads,plugins}

# perl -w -pi -e 's/#(sonar.web.host=).*$/${1}127.0.0.1/' /opt/sonarqube-6.3.1/conf/sonar.properties
# perl -w -pi -e 's@^(PIDDIR=").*$@${1}/opt/sonarqube-6.3.1/logs/"@' /opt/sonarqube-6.3.1/bin/solaris-sparc-64/sonar.sh

# su - sonar

$ /opt/sonarqube-6.3.1/bin/solaris-sparc-64/sonar.sh start
Starting SonarQube...
Started SonarQube.

$ tail -f /opt/sonarqube-6.3.1/logs/sonar.log
...
2017.04.28 10:04:59 INFO  app[][o.s.application.App] SonarQube is up

Running a network reachable service as root only gets you into trouble anyway. ;)

Time to configure a SSL reverse proxy. We'll use Apache 2.2 for this because it's already installed.

Steps for creating a new SSL certificate/key with pktool can be found here How to create a SSL CA/certificate/key with pktool. Done that? Good.

# cp CA.crt /etc/apache2/2.2/server-ca.crt
# cp server.crt /etc/apache2/2.2/
# cp server.key /etc/apache2/2.2/
# chown webservd:webservd /etc/apache2/2.2/server*

# cat << 'EOF' > /etc/apache2/2.2/conf.d/ssl-sonar.conf
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512

SSLCryptoDevice pkcs11

Listen XXX_REPLACE_WITH_YOUR_FQDN:443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLCipherSuite AESGCM:AES
SSLProxyCipherSuite AESGCM:AES
SSLHonorCipherOrder on
SSLProtocol TLSv1.2
SSLProxyProtocol TLSv1.2
SSLSessionCache "shmcb:/var/run/apache2/2.2/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/var/run/apache2/2.2/ssl_mutex"

ProxyRequests off
ProxyPreserveHost on

<VirtualHost _default_:443>
  ServerName XXX_REPLACE_WITH_YOUR_FQDN
  ServerAdmin webservd@XXX_REPLACE_WITH_YOUR_FQDN

  SSLEngine on
  SSLCompression off
  SSLSessionTickets off
  SSLCertificateFile "/etc/apache2/2.2/server.crt"
  SSLCertificateKeyFile "/etc/apache2/2.2/server.key"
  SSLCertificateChainFile "/etc/apache2/2.2/server-ca.crt"

  Header always set Strict-Transport-Security "max-age=15768000"

  ProxyPass / http://127.0.0.1:9000/
  ProxyPassReverse / https://XXX_REPLACE_WITH_YOUR_FQDN/

  CustomLog "/var/apache2/2.2/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
EOF

# /usr/apache2/2.2/bin/apachectl -t
Syntax OK

# svcadm enable svc:/network/http:apache22

Our SonarQube instance is now running as non-root and is reachable via https only.

# tail -f /var/apache2/2.2/logs/ssl_request_log
[28/Apr/2017:10:47:03 +0200] x.x.x.x TLSv1.2 AES256-GCM-SHA384 "GET / HTTP/1.1" 480
[28/Apr/2017:10:47:03 +0200] x.x.x.x TLSv1.2 AES256-GCM-SHA384 "GET /css/sonar.175ebec8.css HTTP/1.1" 36489
...

Compliance? Check!

Links

No comments:

Post a Comment

389 Directory Server 1.3.x LDAP client authentication

389 Directory Server 1.3.x LDAP client authentication Last time we did a multi-master replication setup, see 389 Directory Server 1.3.x Repl...