6.7.1 Apache Reverse Proxy (SSO) problems
594 views
Skip to first unread message
gilbert...@googlemail.com
Apr 17, 2018, 4:36:39 AM4/17/18
to SonarQube
Hello,
running SQ 6.7.1 with Apache 2.4 as Reverse Proxy on Windows Server 2016.
sonar.properties has:
sonar.web.sso.enable=true
sonar.web.sso.loginHeader=X-Forwarded-Login
sonar.web.sso.nameHeader=X-Forwarded-Name
sonar.web.sso.emailHeader=X-Forwarded-Email
sonar.web.sso.groupsHeader=X-Forwarded-Groups
sonar.web.sso.refreshIntervalInMinutes=5Apache uses module mod_authnz_sspi, httpd.conf:
[...]
<Location />
AuthBasicAuthoritative Off
AuthLDAPBindAuthoritative On
AuthBasicProvider ldap
LDAPReferrals Off
AuthLDAPMaxSubGroupDepth 2
AuthLDAPRemoteUserAttribute sAMAccountName
AuthLDAPURL "ldap://lan.domain.de:389/DC=lan,DC=domain,DC=de?sAMAccountName,memberOf,mail,displayName"
AuthLDAPBindDN someuser
AuthLDAPBindPassword somepasswd
#Require ldap-group CN=Users,DC=lan,DC=domain,DC=de
Require ldap-attribute ObjectClass="person"
AuthLDAPGroupAttributeIsDN off
AuthType SSPI
AuthName "Sonar"
SSPIAuth On
SSPIOfferSSPI On
SSPIAuthoritative On
SSPIDomain LAN
SSPIOmitDomain On
SSPIPackage Negotiate
Require valid-sspi-user
</Location>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "E:/Apache/conf/ssl/server.cer"
SSLCertificateKeyFile "E:/Apache/conf/ssl/server.key"
SSLCACertificateFile "E:/Apache/conf/ssl/ca-bundle.crt"
ProxyPass / http://127.0.0.1:9000/
ProxyPassReverse / http://127.0.0.1:9000/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Login %{AUTHORIZE_sAMAccountName}e
RequestHeader set X-Forwarded-Groups %{AUTHORIZE_memberof}e
RequestHeader set X-Forwarded-Email %{AUTHORIZE_mail}e
RequestHeader set X-Forwarded-Name %{AUTHORIZE_displayName}e
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
ServerName SomeServer
Don't know any other way to get the groups from a user than the ldap attribute 'memberOf'.
The problem is, the groups come as ';' separated DNs (distinguished names) like that:
The problem is, the groups come as ';' separated DNs (distinguished names) like that:
CN=Group1,OU=someou,OU=someotherou,DC=lan,DC=domain,DC=de;CN=Group2,OU=someou,OU=someotherou,DC=lan,DC=Domain;...But Sonarqube needs the CNs from those groups separated by ',' would be Group1,Group2 in that example - how to achieve that ?
Is there a configuration in Sonarqube ?
Any possibility with filter or sub expressions in the ldap URL ?
Is it possible to rewrite the X-Forwarded-Groups header accordingly ?
Regards,
Gilbert
gilbert...@googlemail.com
Apr 17, 2018, 9:37:37 AM4/17/18
to SonarQube
The problem is, the groups come as ';' separated DNs (distinguished names) like that:
But Sonarqube needs the CNs from those groups separated by ',' would be Group1,Group2 in that example - how to achieve that ?Is there a configuration in Sonarqube ?
Any possibility with filter or sub expressions in the ldap URL ?
Is it possible to rewrite the X-Forwarded-Groups header accordingly ?
Found a solution with mod_Header
httpd.conf
#activate modul
LoadModule headers_module modules/mod_headers.so
[...]
RequestHeader set X-Forwarded-Groups %{AUTHORIZE_memberof}e
RequestHeader edit* X-Forwarded-Groups CN=([^,]+),[^;]+ $1
RequestHeader edit* X-Forwarded-Groups ; ,edit* with regexp and $1 means all matches of CN=... ; should be replaced with the value of CN.
In the second edit*' the separator ';' is replaced with ','
Works like a charm now.
Regards,
Gilbert
G. Ann Campbell
Apr 17, 2018, 1:58:18 PM4/17/18
to SonarQube
Thanks for following up with your solution @Gilbert!
Ann
gilbert...@googlemail.com
Apr 20, 2018, 6:13:22 AM4/20/18
to SonarQube
Hi Ann,
Thanks for following up with your solution @Gilbert!Ann
Unfortunately testing the Web api calls and access via Sonarqube Ant Task and usertoken revealed another problem.
With the Apache configuration posted above there is no authentication via BasicAuth,
With the Apache configuration posted above there is no authentication via BasicAuth,
So we had to expand the httpd.conf again and created a second VirtualHost to make it work:
<VirtualHost *:444>
ServerName Sonarhost
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "E:/Apache/conf/ssl/server.cer"
SSLCertificateKeyFile "E:/Apache/conf/ssl/server.key"
SSLCACertificateFile "E:/Apache/conf/ssl/ca-bundle.crt"
ProxyPass /
ProxyPassReverse / http://127.0.0.1:9000/
RequestHeader set X-Forwarded-Proto "https"
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.1
RequestHeader unset X-Forwarded-Login
RequestHeader unset X-Forwarded-Groups
LogFormat "%a %l %{X-Forwarded-Login}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
CustomLog "| \"C:/Program Files/Apache2.4/bin/rotatelogs.exe\" E:/Apache/Logs/Access/access_%Y-%m-%d.log 86400" proxy
<Proxy *>
Require all denied
Require ip 10.132.111.145
</Proxy>
</VirtualHost>To make it save, the RequestHeader unset instructions prevent a manipulation of headers, an additional Require ip restricts the access for specific IPs.
The Ant Task has to use now
and Web api calls have to use now
Is there another possibility t for BasicAuth that we missed ?!
After all i'm rather disappointed, that's not what i'm used from Sonarqube. The configuration of SSO should be a more convenient experience.
With SQ 5.6.6 and LDAP plugin version 1.5.1 configuration of AD access and SSO with Apache reverse proxy involved was a breeze.
I fully understand that changes were needed because the proprietary implementation of LDAP plugin 1.5.1 by Microsoft isn't continued.
I fully understand that changes were needed because the proprietary implementation of LDAP plugin 1.5.1 by Microsoft isn't continued.
The configuration of LDAP plugin version 2.2 in SQ 6.7 is a bit more complicated and that's OK, but there is no SSO anymore.
But the configuration of SSO in Apache took a lot of time.
The Sonarqube documentation is no help, and it can't be expected that every user is an Apache expert.
Also Sonarqube should handle groups by itself when the come as ';' separated DNs in X-Forwarded-Groups header -
i suppose such a feature is already implemented in LDAP plugin 2.2 .
i suppose such a feature is already implemented in LDAP plugin 2.2 .
And the fact that Web api calls and scanners have to use another port now is not that good. If f.e. someone uses https://sonarhost:444 .. in browser his user
entry in SQ is busted, as BasicAuth has no mail and groups header.
entry in SQ is busted, as BasicAuth has no mail and groups header.
Regards,
Gilbert
Reply all
Reply to author
Forward
0 new messages