As an SonarQube operator, we need to detect intrusion tries in order to protect a public SonarQube instance with tools like fail2ban and we need to be warned when authentication with third party is not working.
In order to be able to do this, we need to have a meaningful log when authentication is finished with a single log line:
- X-Forwarded-For Header (it's a nice to have to have split field of IP and X-Forwarded-For)
- status (successful or failure)
- reason of failure (best effort here, we should not hide the stack trace for Github in order to be able to investigate manually the failure)
- provider (github, ldap, default, ...)
The must-have providers are internal and Github for hosted SonarQube instances.
There is no configuration property for this.
Some insight :
- X-Forwarded-For Header is automatically added by Apache httpd (
- X-Real-IP Header is sometimes used to store the value of the IP (http://distinctplace.com/infrastructure/2014/04/23/story-behind-x-forwarded-for-and-x-real-ip-headers/), I don't think it's valuable to add it
- For your information X-Forwarded-For contains a list of IP separated by a comma so we cannot assume that it's a single IP