Skip to first unread message
Charlee Chitsuk
Jan 24, 2017, 3:10:57 AM1/24/17
to SonarQube
Hi,
I've configured the sonarqube 6.2 behind proxy (Apache HTTP server) by following [1]. I am able to login and use the web console properly.
Anyhow when I'm trying to change password of the user "admin", it is not success and the "sonar-home/logs/access.log" show me as
172.17.1.146 - - [24/Jan/2017:14:58:47 +0700] "POST /sonar/api/users/change_password HTTP/1.0" 401 -
"https://[my-fqdn]/sonar/account/security/" ....
Further more I also have a chance to test it directly to sonarqube without proxy. It works perfectly as
172.17.1.146 - - [24/Jan/2017:15:00:38 +0700] "POST /sonar/api/users/change_password HTTP/1.1" 204 -
"http://[my-fqdn]:61080/sonar/account/security/" ...
Could you please help to advise?
[2] [my-fqdn] is map host to 172.17.1.146 as well. I'm using the web browser at the same host as sonarqube.
Charlee Chitsuk
Jan 24, 2017, 11:24:03 PM1/24/17
to SonarQube
Hi,
After the investigation I've found the different between call it directly to sonarqube and call it through proxy as
1. Calling directly
There is a HTTP HEADER named "X-XSRF-TOKEN" which has a value as same as the cookie named "XSRF-TOKEN"
2. Calling through the proxy, there is no HTTP HEADER named "X-XSRF-TOKEN"
Furthermore the proxy has set to fore all cookies to be secured as
#Force secured cookies and Http-Only
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
I'm not sure if this may cause the trouble or not. Could you please help to advise?
Charlee Chitsuk
Jan 25, 2017, 12:37:53 AM1/25/17
to SonarQube
Hi,
I've found the root cause and solution for this issue as
1. Root cause
The XSRF-TOKEN cookie is set to HttpOnly so that the activities via the sonarqube web ui will fail.
2. Solution
Do not set the HttpOnly to the cookie named XSRF-TOKEN
Eric Hartmann
Jan 25, 2017, 11:40:33 AM1/25/17
to SonarQube
Hi Charlee,
It's a bit strange, I've just checked and it should work out-of-the box.
Are you using SSL/TLS or just plain http ?
Which httpd version are you using ?
Cheers,
Charlee Chitsuk
Jan 25, 2017, 8:21:55 PM1/25/17
to SonarQube
Hi Eric,
Thank you very much for your response. I've map the sonarqube behind my Apache HTTP server which is configured to force all request to be SSL/TLS(plain HTTP is not allowed). Furthermore my Apache HTTP also force all cookies to be "Secure" and "HttpOnly" as something like
Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly
Then the cookie named "XSRF-TOKEN" has been forced to be "Secure" and "HttpOnly", too.
Please correct me, if I'm wrong. I understand that the web ui uses javascript to read the cookie named "XSRF-TOKEN" to create the customized http header named "X-XSRF-TOKEN" during posting the request back to the sonarqube. If the cookies is "HttpOnly", the javascript cannot read it anymore. This may be a root cause.
To solve this issue, I ask my engineer to add the exception for "XSRF-TOKEN" not to be "HttpOnly". After that, everything works fine.
Eric Hartmann
Jan 26, 2017, 10:44:13 AM1/26/17
to SonarQube
Hi Charlee,
Now I understand the issue, indeed if all cookies are set to Secure;HttpOnly by the reverse proxy this will break the CSRF security not allowing you to use REST services.
So you have to make the exception to make SonarQube works.
Note that SonarQube 6.2 is sending the cookies with the correct flags and there is no need to update them in the reverse proxy, so if you are allowed to remove the directive "Header edit Set-Cookie ^(.*)$ $1;Secure;HttpOnly", just remove this directive.
Cheers,
Reply all
Reply to author
Forward
0 new messages