Task: Use CodeSonar with a Reverse Proxy

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar^® 9.2p0

CONFIDENTIAL

CodeSecure Inc

Task: Use CodeSonar with a Reverse Proxy

Some reverse proxy behaviors can interfere with communication between the CodeSonar analysis and the hub.

This task describes how to configure your reverse proxy to allow CodeSonar to work correctly, using NGINX as an example.

Note that it is not possible to use certificate-based hub authentication in the presence of a proxy or reverse proxy.

General Requirements
Example: NGINX
Links

General Requirements

Reverse proxy behaviors such as buffering, caching, and timeouts can interfere with communication between the CodeSonar analysis and the hub.

Configuring your reverse proxy to allow CodeSonar to work correctly will generally include the following.

Buffering. Disable response buffering and request buffering.
CodeSonar uses long poll responses for hub communication. These responses must be pipelined rather than buffered in their entirety.
Caching. Disable caching.
Timeouts Set appropriately long read and connect timeouts.
CodeSonar's long poll responses can last indefinitely, so we recommend setting timeouts to be longer than the duration of the longest CodeSonar analysis you expect to perform.
HTTP X-Forwarded-For header. The proxy should set the X-Forwarded-For header to the address of the HTTP client.
This is especially important in contexts like distributed analysis, where the IP address of the analysis master must be available to the hub so it can be communicated to other processes.
Response forwarding. Forward non-200 responses to the client (don't convert into a "bad gateway").

Note: It is not possible to use certificate-based hub authentication in the presence of a proxy or reverse proxy. TLS client authentication is designed to prevent "man in the middle" attacks and the reverse proxy is a man in the middle.

Example: NGINX

The following NGINX configuration will allow CodeSonar to work correctly.

http {

    server {
        ...
        ...

        location / {
            ...
            ...
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_buffering off;
            proxy_cache off;
            proxy_request_buffering off;
            proxy_read_timeout 1w;
            proxy_connect_timeout 300s;
        }
    }
}

For more information about these settings, see the following links.

Links

To report problems with this documentation, please visit https://support.codesecure.com/.