I have just upgraded from Sonar 3.2.1 to Sonar 3.6. I was able to configure Sonar 3.2.1 to use https by placing a jetty.xml file in SONAR_HOME. The same approach does not seem to work for Sonar 3.6 and from looking at the source for org.sonar.application.JettyEmbedder I think the https port is hard-coded to 8443. FYI, The embedded jetty version is 7.6.11.
The relevant Sonar FAQ reads thus :
Can SonarQube run in HTTPS mode
No. But you can run SonarQube in a standard HTTPS infrastructure using reverse proxy (in this case the reverse proxy must be configured to set the value 'X_FORWARDED_PROTO: https' in each HTTP request header. Without this property, redirection initiated by the SonarQube server will fall back on HTTP).
If this is true then Sonar has taken a step backwards security-wise. Is there an alternative way to configure Sonar/Jetty to run on https ?
You can install Apache on the same machine and set reverse proxy.
Your http://your-sonar-host.com address needs to run on port 80. Apache will forward it to 9000 (sonar runs on port 9000)
After installing Apache, open the configuration and type the following:
<Location />
ProxyPass http://your-sonar-host.com:9000/
ProxyPassReverse http://your-sonar-host.com:9000/
RequestHeader set X_FORWARDED_PROTO 'https'
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</Location>
There is nothing else you need to do.
Related
I'm searching for a solution to be able to run a Spring application behind an Apache SSL proxy. I tried a lot of configurations without success. All Spring responses go to http causing a Not Found error.
The following is apache configuration:
SetEnv proxy-initial-not-pooled 1
ProxyPreserveHost On
KeepAlive On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ServerName server.mydomain.dom
ProxyTimeout 600
ProxyPass /excluded !
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPass / http://127.0.0.1:8081/
ProxyPassReverse / http://127.0.0.1:8081/
These are the Spring options:
server.port=8081
server.forward-headers-strategy=NATIVE
#server.tomcat.redirect-context-root=false
server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto
server.tomcat.internal-proxies=.*
I'm using Spring Boot 2.5.6 on Apache Tomcat/9.0.54. The OS Apache is a 2.4.25 version running on a Debian 9.13.
The problem seems to happen after login into the application and logout. If I substitute http to https after the login action, I'm able to navigate into the application. All links works fine until I logout. When I logout the application goes again to http.
I solve the problem. The first step was to add
server.tomcat.use-relative-redirects=true
in the application.properties. With this directive, the proxy works fine.
In the end, I configure the apache/application to use AJP.
Short introduction
I have Apache Superset and Apache2 server located on the same EC2 instance. Apache2 is acting as a proxy server. It accepts HTTPS requests and transfers them to Apache Superset. Apache Superset is run using gunicorn.
Problem
Requests to Apache Dremio data engine could take some time (< 60 seconds). When accessing dashboards on Superset, using DNS name with SSL, with proxy setup some dashboards parts (requests) are failing with the following error:
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server
Strangely, these errors can appear in a matter of seconds despite that default value for ProxyTimeout is quite high.
The problem doesn't occur if Superset is accessed by IP address.
Error message in apache2/error.log:
(20014) Internal error (specific information not available): [client 10.4.26.3:6969] AH01102: error reading status line from remote server localhost:8088, referer: ...
What was tried to solve a problem
Problem can be with proxy server timeout or with Superset web server dropping some connections. My Apache2 config:
<VirtualHost *:443>
ProxyPreserveHost On
ProxyRequests Off
ServerName dash.domain.com
ServerAlias dash.domain.com
SSLEngine on
SSLCertificateFile /etc/ssl/private/cert.crt
SSLCertificateChainFile /etc/ssl/certs/cert2.crt
SSLCertificateKeyFile /etc/ssl/private/key.key
ProxyPass / http://localhost:8088/ connectiontimeout=3600 timeout=3600
ProxyPassReverse / http://localhost:8088/
# things tried
# SetEnv force-proxy-request-1.0 1
# SetEnv proxy-nokeepalive 1
# SetEnv proxy-initial-not-pooled 1
# ProxyTimeout 3600
# TimeOut 3600
</VirtualHost>
Things tested (and not working):
Timeout and ProxyTimeout
connectiontimeout and timeout (as seen above)
Keepalive=On for ProxyPass
different SetEnv
superset_config.py -> ENABLE_PROXY_FIX, SUPERSET_WEBSERVER_TIMEOUT
In addition, similar proxy setup was build using nginx, error is similar to what is described here.
Any help or ideas would be appreciated. Thank you very much!
Useful information
Apache Superset version: 0.37.2
Apache Dremio version: 4.1.0
Apache2 server version: 2.4.29
EC2 instance type: t3.medium
OS version: Ubuntu 18.04
The problem was in dying gunicorn async workers. Too many requests were coming from the charts and workers were not able to handle them. Changing worker type from async to sync (default gunicorn type) solved the proxy problem.
I still don't know why direct access by IP was not producing the 502 proxy error.
Sorry for not including information about gunicorn in the question.
P.S Recommended type of workers for Apache Superset from their docs is async, but, for my case, sync were the better solution. In theory, sync workers are slower compare to async (in Superset context).
Following this detailed article: https://www.tessian.com/blog/how-to-fix-http-502-errors/
We have tried the suggested fix (based on AWS ALB default connection idle timeout = 60s setting ):
Gunicorn (Python)
As command line arguments:
--keep-alive 65
Works like a charm!
And to explain "why direct access by IP was not producing the 502 proxy error", check this Gunicorn settings doc:
https://docs.gunicorn.org/en/stable/settings.html#keepalive
Generally set in the 1-5 seconds range for servers with direct connection to the client (e.g. when you don’t have separate load balancer).
Since the default keepalive setting is 2 seconds, it works well on direct access by IP.
I have a Linux VM running with a Jenkins, Nexus and SonarQube server on it. The IP for the VM is 192.168.56.2 and I have no trouble accessing both Jenkins and Nexus on ports 8080 and 8081 respectively. However, when I try to access 192.168.56.2:9000 for SonarQube it just says 192.168.56.2 refused to connect.
When I run systemctl status sonar in the terminal it shows that SonarQube is active and running. I have opened the firewall to port 9000 and I have not changed any of the default settings. Does anyone have any idea what might be the issue?
SonarQube will only be listening on 'loopback' rather than on all inbound IP addresses. In your server's sonar.properties file, you'll need to set the Web information in order to access the server remotely, specifically the following values:
sonar.web.host: 192.168.56.2
sonar.web.port: 80 # if you want to use a port other than 9000
Also, in the web UI's Settings, under the "General" section, set the "Server base URL" value so that links and redirects issued by SonarQube target the correct location.
I have an apache/2.4.18 ubuntu server and I want to host my spring application on it. I generated a JAR file and can run it on the server. It starts an embedded tomcat server on port 8090.
However when i navigate to 'my-site-ip:8090' the connection times out.
I have zero experience deploying web applications so any help would be appreciated.
I've created a TCP rule for port 8090 and still no joy.
The solution was adding a proxy to the Myapp.conf file as below:
ProxyRequests off
ProxyPreserveHost On
ProxyPass / http://localhost:8090/
ProxyPassReverse / http://localhost:8090/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
It´s very hard to explain all the steps in one answer but you can follow these steps to get into the full configuration by your own. I did the same on my 1&1 cloud server.
First of all you need root access to your server.
Normally, on your server the port 80 and 443 should already be open. Else you can define that in the 1&1 Admin Portal. If your Server already has the apache configuration you should be able to see the apache site if you go to your server address. You can find details and the full setup if you dont have an apache installed for this step here:
How To Install the Apache Web Server on Ubuntu
The second step would be to configure a virtual host on your apache webserver.
This is cool because you can define multiple domains and there applications on your server. So http://yourServer.com(port 80 or 443 from extern) goes to yourApp1. (port 8090 from intern).
In this step you will tell apache if your enter your url to go to your app with port 8090
How To Set Up Apache Virtual Hosts on Ubuntu
The last step would be to install your spring-boot app as a service on your machine. The docs of Spring describes it very well.
Installation as an init.d Service
If you install the app as a service you are able to start and stop the app with the service command.
service myapp start
And dont forget to add the plugin for maven or gradle to your pom.xml. This is necessary to run the app as a service.
If you follow these Steps you should be able to reach you app without specify a port and be ready to go with your app in production if necessary.
The best approach for this would be to use the apache proxy. This should get it done.
https://blog.marcnuri.com/running-apache-tomcat-and-apache-httpd-on-port-80-simultaneously/
I have various version of apache server and IIS server , the ECDHE cipher is enabled , now I would like to disable it for some reason , would advise how to it ?
Thanks
For apache your should modify the following file:
/etc/apache2/sites-available/default-ssl.conf
For example we are not selecting two ECDHE suites (note ! before those) in TLS1.1:
SSLProtocol TLSv1.1
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!ECDHE-RSA-AES128-SHA:!aNULL:!MD5
SSLHonorCipherOrder on
Then:
sudo /etc/init.d/apache2 reload