Dear sonarqube community,

we have set up sonarqube behind an apache2 secure (ssl) reverse proxy. Normal access works fine but privileged actions lead to the following error:

2017.12.19 08:26:02 DEBUG web[AWBtqc1RcFsQ/x1cAAAx][auth.event] login failure [cause|Wrong CSFR in request][method|JWT][provider|LOCAL|local] [IP|xxx.xxx.xxx.xxx|yyy.yyy.yyy.yyy][login|admin]

sonarqube runs at '/sonar' and the apache configuration looks like this:

...
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
...
<Location /sonar>
  RequestHeader set X-Forwarded-Proto "https"
  ProxyPass        http://xxx.domain:9000/sonar
  ##ProxyPassReverse http://xxx.domain:9000/sonar
  ProxyPassReverse [https://]https://<service>.<domain>.<tld>/sonar
</Location>

sonarqube version is 6.7 LTS, apache version is 2.4.27 

thanks in advance

Since you're using a reverse-proxy setup, you should pay attention to this change that occured in v6.0, and which we've just clarified in the Upgrade Notes :

So far, if you were securing your SonarQube server behind a reverse-proxy, you had to make sure that Cookies were marked as secure at proxy level. Starting from v6.3, SonarQube automatically sets that flag when interacting via HTTPS. You should therefore remove any custom config you would have put in your reverse-proxy to flag SonarQube cookies as secure.

It can be that such a leftover config in the reverse-proxy would cause interference, leading to authentication failure(s) like the one you've observed.