Rory Primrose

Learn from my mistakes, you don't have time to make them yourself

View project on GitHub

Let's Encrypt with SonarQube

Posted on April 21, 2017

Using the same concept of putting Octopus Deploy behind a reverse proxy, I want to wrap SonarQube behind an IIS reverse proxy so I can use Let’s Encrypt certificates to host it.

There are a few steps to get this up and running.

  1. Create a new IIS website.
  2. Configure IIS with Let’s Encrypt for which I used Certify.
  3. Configure IIS with dependencies to support reverse proxy. See here for the start of the blog series.
  4. Add web.config that pipes requests to SonarQube but also supports Let’s Encrypt.

This last point is where things can get a little tricky. All http requests to the reverse proxy website should be piped over to the internal SonarQube server. The exception to this is where requests come in from Let’s Encrypt for validation of the new certificate request.

The following web.config handles all this.

<?xml version="1.0" encoding="UTF-8"?>
                <rule name="LetsEncrypt" stopProcessing="true">
                    <match url=".well-known/acme-challenge/*" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="None" />
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://localhost:9000/{R:1}" />
                        <set name="X_FORWARDED_PROTO" value="https" />
                <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
                    <match serverVariable="RESPONSE_Strict_Transport_Security"
                        pattern=".*" />
                        <add input="{HTTPS}" pattern="on" ignoreCase="true" />
                    <action type="Rewrite" value="max-age=31536000" />
                <remove name="X-Powered-By" />

This configuration does the following:

  • Let through any Let’s Encrypt requests to its own website
  • Tell HTTPS response to only use HTTPS in the future via the HSTS header.
  • Forward HTTPS requests onto the internal SonarQube server at http://localhost:9000

Update: Fixed HSTS header being sent over HTTP