I’m using SonarQube 7.7 Community Edition. I’m trying to install SonarQube behind Apache 2.4. I’m using Apache 2.4 as a SSL proxy.
I just have edited two properties in sonar.properties
sonar.web.context=/sonarqube
sonar.web.port=19000
All works fine in http://myip:19000/sonarqube, but when I configure SonarQube behind Apache 2.4, with this httpd.conf:
<VirtualHost _default_:443>
...
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /sonarqube http://myip:19000/sonarqube
ProxyPassReverse /sonarqube http://myip:19000/sonarqube
...
</VirtualHost>
and I try to login in https://myip/sonarqube and I try to edit a form (with a POST request)… then SonarQube close my session and throws a logout. If I search in the SonarQube log I see:
DEBUG web[AWtV1ddZzkIdcMqWAAAZ][auth.event] login failure [cause|Wrong CSFR in request][method|JWT][provider|LOCAL|local][IP|xxx.xxx.11.34|xxx.xxx.47.63][login|AWtLPuNDxAaJINzP5NvF]
Usually, this means a cookie is getting touched by the proxy (;HTTPOnly appended, ;Secure appended) and this shouldn’t be done, SonarQube handles doing this when appropriate.
To run the SonarQube server over HTTPS, you must build a standard reverse proxy infrastructure.
The reverse proxy must be configured to set the value X_FORWARDED_PROTO: https in each HTTP request header. Without this property, redirection initiated by the SonarQube server will fall back on HTTP.
But I do not know if I have to do this and also I do not know how I have to do this. I try to add this line in Apache VirtualHost configuration:
The issue you’re encountering is because the cookie XSRF-TOKEN has his attribute HttpOnly set to true, whereas it should be set to false.
There’s probably something in your configuration that set all HttpOnly attributes to true. You need to update this in order to let this value to false for XSRF-TOKEN.
Just to wrap this up — SonarQube will automatically append the Secure flag to cookies when it’s being served over SSL, so feel free to simplify your configuration further if you want.
Since I spend half a day trying to figure this out, and his is the top google result for this issue, I’m adding this note maybe it helps someone else:
If your first attempt to use a reverse proxy did not include a subdirectory (sonar.web.context was not set) and then you added it, you might end up with 2 of XSRF-TOKEN and JWT-SESSION one with the path /sonarqube (or whatever sonar.web.context you use) and another for /, delete the ones for / and everything will start working
I can confirm the problem and resolution is right.
In my case there was a problem with a session cookie that has been modified ( by F5 dns server) setting the HttpOnly flag to true.
Due to this problem, after every POST request in sonar application (like create project, change credential, etc…) the screen goes back to login page. Show my screenshot with F12 debug.
Examine the XSRF-TOKEN HttpOnly flag and remove it, verify your web server´s configuration or any another security layers that may be in place apart from the Sonar application.