Disable Server Signature in Docker SonarQube 9.9.3

SonarQube Version: Developer Edition Version 9.9.3 (build 79811)
SonarQube Deployed: Docker
Issue: Disable Apache Webserver’s version information from being exposed in SonarQube when accessing HTTP 404 error pages after changing the sonar.web.context to not using the default value of root context.

What have we tried:

  • Locate /etc/apache2/ or /etc/httpd/ to modify httpd.conf, doesn’t exist.
    • Want to set ServerSignature directive to Off
  • Locate server.xml and add valve showServerInfo=“false”
    • <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>, doesn’t exist.
  • Locally running a Docker SonarQube (sonar/sonarqube:9.9.3) and added “-Dsonar.web.context=/sonarqube” to replicate the issue in prod.

What is documented is that “Web server is executed in a dedicated Java process”. Not sure what to update in the JVM options, if that is where the change should be, to turn off the Apache Webserver’s version information from being exposed.

Hey there.

This is something we addressed in SonarQube 10.1 (SONAR-19107) but don’t have any advice to offer on how to adjust the embedded Tomcat in earlier versions.

1 Like