See https://docs.sonarqube.org/display/SONAR/Documentation for current functionality
There are two ways to run SonarQube over HTTPS:
- By building a standard reverse proxy infrastructure
- By configuring the SonarQube server that natively supports SSL (since version 4.0)
Building a Standard Reverse Proxy Infrastructure
Using a reverse proxy infrastructure is the recommended way to set up your SonarQube installation on production environments which need to be highly secured. This allows to fully master all the security parameters that you want.
The reverse proxy must be configured to set the value "X_FORWARDED_PROTO: https" in each HTTP request header.
Without this property, redirection initiated by the SonarQube server will fall back on HTTP.
Configuring the SonarQube Server that Natively Supports SSL
Because Tomcat is embedded in SonarQube in a "black box" mode, only few Tomcat parameters can be customised - which might be an issue for some security configuration. Know limitations are:
The configuration is pretty standard. The information to access the certificate must be provided in the configuration of the web server.
Here are two examples: Generating a certificate / Reusing an existing certificate.
Generating a Certificate
Generate a RSA certificate
Run the following command:
It adds the certificate to USER_HOME/.keystore.
Configure the SonarQube server
Open the SONARQUBE_HOME/conf/sonar.properties file and update it as below:
Restart the web server. You should now only be able to access the SonarQube server over HTTPS on port 8999.
Running an Analysis
Update the settings of your analyzer (SONARQUBE_HOME/conf/sonar-runner.properties for SonarQube Runner or settings.xml for Maven...):
Analyze one of your projects to check that it works fine.
Use an Existing Certificate
The name attribute value will be used for
The export password you have entered should be specify for
Then copy your myserver.p12 file in a secure place (e.g. /opt/sonar/conf) and configure SonarQube to use it: