Using HAProxy as a front-end SSL terminator for Sonar Qube

Short sweet and to the point. We are beginning to demo the Community Edition of Sonar Qube’s code analysis tool. And while I’m certain others have written extensively on the merits of Sonar Qube itself, today I’m going to share a very simple method to front-end the Sonar Qube installation with HAProxy and provide a secure endpoint.

Couple of pre-reqs (likely included with your distro of choice) :

• intermediate certificate, certificate and matching key ( https://letsencrypt.org/getting-started/ )
  • heads-up – the private key cannot have a password / passphrase
• HAProxy ( http://www.haproxy.org/ )
• Sonar Qube installation ( https://docs.sonarqube.org/latest/setup/install-server/ )

First lets prep our certificate

ramblingman@sonarqube:~$ ls -l cert/
total 40
-rw-rw-r-- 1 ramblingman ramblingman 2764 Nov  1 22:29 site.pem
-rw-rw-r-- 1 ramblingman ramblingman 3311 Nov  1 22:29 site.key
-rw-rw-r-- 1 ramblingman ramblingman 4924 Nov  1 22:29 intermediate.crt

ramblingman@sonarqube:~$ sudo -i
root@sonarqube:~# mkdir -p /etc/haproxy/ssl/site.com
root@sonarqube:~# cat ~ramblingman/cert/site.pem ~ramblingman/cert/intermediate.pem ~ramblingman/cert/site.key > /etc/haproxy/ssl/site.com/combined.pem

root@sonarqube:~# chmod 600 /etc/haproxy/ssl/site.com/combined.pem

Now lets take a look at haproxy.cfg

frontend localhost
    bind *:80
    bind *:443 ssl crt /etc/haproxy/ssl/site.com/combined.pem
    redirect scheme https if !{ ssl_fc }
    mode http
    default_backend nodes

backend nodes
    mode http
    balance roundrobin
    option forwardfor
    option httpchk HEAD / HTTP/1.1\r\nHost:localhost
    server web01 127.0.0.1:8080 check
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }

And finally, we need to make sure that Sonar Qube is listening on localhost (only) and your port of choice (we’re using 8080 in our example)

sonar.properties:

sonar.web.host=127.0.0.1
sonar.web.port=8080

By choosing to run on 127.0.0.1, we ensure the system does not listen to incoming connections, except from those of HAProxy. You can choose to leave the deault port 9000, but make sure to adjust haproxy.cfg accordingly.

Finally start Sonar Qube and HAProxy and enjoy your protected site.