'Wrong CSFR in request' when running sonar

2019-08-17 06:16发布

站内问答 / 移动开发
1164 1 6

Dear sonarqube community,

we have set up sonarqube behind an apache2 secure (ssl) reverse proxy. Normal access works fine but privileged actions lead to the following error:

2017.12.19 08:26:02 DEBUG web[AWBtqc1RcFsQ/x1cAAAx][auth.event] login failure [cause|Wrong CSFR in request][method|JWT][provider|LOCAL|local] [IP|xxx.xxx.xxx.xxx|yyy.yyy.yyy.yyy][login|admin]

sonarqube runs at '/sonar' and the apache configuration looks like this:

...
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
...
<Location /sonar>
  RequestHeader set X-Forwarded-Proto "https"
  ProxyPass        http://xxx.domain:9000/sonar
  ##ProxyPassReverse http://xxx.domain:9000/sonar
  ProxyPassReverse [https://]https://<service>.<domain>.<tld>/sonar
</Location>

sonarqube version is 6.7 LTS, apache version is 2.4.27 

thanks in advance

标签: sonarqube
举报
1条回答
够拽才男人
2楼-- · 2019-08-17 06:46

Since you're using a reverse-proxy setup, you should pay attention to this change that occured in v6.0, and which we've just clarified in the Upgrade Notes :

So far, if you were securing your SonarQube server behind a reverse-proxy, you had to make sure that Cookies were marked as secure at proxy level. Starting from v6.3, SonarQube automatically sets that flag when interacting via HTTPS. You should therefore remove any custom config you would have put in your reverse-proxy to flag SonarQube cookies as secure.

It can be that such a leftover config in the reverse-proxy would cause interference, leading to authentication failure(s) like the one you've observed.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)