Any changes made in the Administration page triggers a redirect to the log in page (Apache proxy)

SonarQube Server / Community Build
1

Hello,
I’m running SonarQube 9.7.0.61563 with Apache reverse proxy in front that is also configured for https, the problem is that anything that I change it automatically redirects to the log in page.

Note:

For example sending a test email.

192.168.200.155 - - [02/Dec/2022:13:58:15 +0200] "POST /api/emails/send HTTP/1.1" 401 - "https://sonar.xxx.yyy.com/admin/settings" "Mozilla/5.0 (Windows NT 10.0; rv:107.0) Gecko/20100101 Firefox/107.0" "AYTSnnjK36t4epkpAAF+" 192.168.200.155 - - [02/Dec/2022:13:58:15 +0200] "GET /sessions/new?return_to=%2Fadmin%2Fsettings HTTP/1.1" 200 - "https://sonar.xxx.yyy.com/admin/settings" "Mozilla/5.0 (Windows NT 10.0; rv:107.0) Gecko/20100101 Firefox/107.0" "AYTSnnjK36t4epkpAAF/" 192.168.200.155 - - [02/Dec/2022:13:58:15 +0200] "GET /api/l10n/index?locale=en-US HTTP/1.1" 200 - "https://sonar.xxx.yyy.com/sessions/new?return_to=%2Fadmin%2Fsettings" "Mozilla/5.0 (Windows NT 10.0; rv:107.0) Gecko/20100101 Firefox/107.0" "AYTSnnjK36t4epkpAAGA" 192.168.200.155 - - [02/Dec/2022:13:58:16 +0200] "GET /api/users/identity_providers HTTP/1.1" 200 120 "https://sonar.xxx.yyy.com/sessions/new?return_to=%2Fadmin%2Fsettings" "Mozilla/5.0 (Windows NT 10.0; rv:107.0) Gecko/20100101 Firefox/107.0" "AYTSnnjK36t4epkpAAGB"

the config from apache
<VirtualHost *:80>
ServerName sonar.xxx.yyy.com

RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

<VirtualHost *:443>

ServerName sonar.xxx.yyy.com
ServerAdmin admin@somecompany.com
ProxyRequests Off
ProxyPass / http://192.168.200.155:9000/
ProxyPassReverse / http://192.168.200.155:9000/
ErrorLog logs/sonar/error.log
CustomLog logs/sonar/access.log common

SSLEngine on
SSLCertificateFile      /etc/httpd/cert/STAR.crt
SSLCertificateChainFile /etc/httpd/cert/STAR.ca-bundle
SSLCertificateKeyFile /etc/httpd/cert/STAR.key

# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"

intermediate configuration

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLSessionTickets off

ServerTokens Prod
ServerSignature Off
TraceEnable off
FileETag None
Header set X-XSS-Protection “1; mode=block”
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure`

2

Hey there.

These cookies are automatically set when appropriate by SonarQube – you should remove this configuration. It is probably causing the login/logout behavior.

3

Thank you Colin for the solution

4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.