Start Free
SonarQube Community Build | Server installation and setup | Operating the server

Operating the server

On this page

Running SonarQube Community Build as a service on Windows

Install or uninstall SonarQube as a service

> <sonarqubeHome>\bin\windows-x86-64\SonarService.bat install
> <sonarqubeHome>\bin\windows-x86-64\SonarService.bat uninstall

Start or stop the service

> <sonarqubeHome>\bin\windows-x86-64\SonarService.bat start
> <sonarqubeHome>\bin\windows-x86-64\SonarService.bat stop

Service status

Check if the SonarQube service is running:

> <sonarqubeHome>\bin\windows-x86-64\SonarService.bat status

Running SonarQube Community Build manually on Linux

Start or stop the instance

Start:
<sonarqubeHome>/bin/linux-x86-64/sonar.sh start

Graceful shutdown:
<sonarqubeHome>/bin/linux-x86-64/sonar.sh stop

Hard stop:
<sonarqubeHome>/bin/linux-x86-64/sonar.sh force-stop

Running SonarQube Community Build as a service on Linux with systemd

On a Unix system using systemd, you can install SonarQube as a service. You cannot run SonarQube as root in Unix systems. Ideally, you will have created a new account dedicated to the purpose of running SonarQube. Let's suppose:

  • The user used to start the service is sonarqube
  • The group used to start the service is sonarqube
  • The Java Virtual Machine is installed in /opt/java/
  • SonarQube has been unzipped into /opt/sonarqube/

Then create the file /etc/systemd/system/sonarqube.service based on the following:

[Unit]
Description=SonarQube service
After=syslog.target network.target

[Service]
Type=simple
User=sonarqube
Group=sonarqube
PermissionsStartOnly=true
ExecStart=/bin/nohup /opt/java/bin/java -Xms32m -Xmx32m -Djava.net.preferIPv4Stack=true -jar /opt/sonarqube/lib/sonar-application-9.9.1.69595.jar
StandardOutput=journal
LimitNOFILE=131072
LimitNPROC=8192
TimeoutStartSec=5
Restart=always
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

Once your sonarqube.service file is created and properly configured, run:

sudo systemctl enable sonarqube.service
sudo systemctl start sonarqube.service

Running SonarQube Server as a service on Linux with initd

The following has been tested on Ubuntu 20.04 and CentOS 6.2.

You cannot run SonarQube Community Build as root in *nix systems. Ideally, you will have created a new account dedicated to the purpose of running SonarQube Community Build. Let's suppose the user used to start the service is sonarqube. Then create the file /etc/init.d/sonar based on the following:

#!/bin/sh
#
# rc file for SonarQube
#
# chkconfig: 345 96 10
# description: SonarQube system (www.sonarsource.org)
#
### BEGIN INIT INFO
# Provides: sonar
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Short-Description: SonarQube system (www.sonarsource.org)
# Description: SonarQube system (www.sonarsource.org)
### END INIT INFO
 
su sonarqube -c "/usr/bin/sonar $*"

Register SonarQube Community Build at boot time (RedHat, CentOS, 64 bit):

sudo ln -s <sonarqubeHome>/bin/linux-x86-64/sonar.sh /usr/bin/sonar
sudo chmod 755 /etc/init.d/sonar
sudo chkconfig --add sonar

Register SonarQube Community Build at boot time (Ubuntu, 64 bit):

sudo ln -s <sonarqubeHome>/bin/linux-x86-64/sonar.sh /usr/bin/sonar
sudo chmod 755 /etc/init.d/sonar
sudo update-rc.d sonar defaults

Once registration is done, run:

sudo service sonar start

Securing SonarQube Server behind a proxy

This section helps you configure SonarQube Community Build if you want to run it behind a proxy. This can be done for security concerns or to consolidate multiple disparate applications. To run SonarQube Community Build over HTTPS, see the HTTPS Configuration section below.

Using an Apache Proxy

We assume that you've already installed Apache 2 with module mod_proxy, that SonarQube Community Build is running and available on http://private_sonar_host:sonar_port/, and that you want to configure a Virtual Host for www.public_sonar.com.

At this point, edit the HTTPd configuration file for the www.public_sonar.com virtual host. Include the following to expose SonarQube Community Build via mod_proxy at http://www.public_sonar.com/

ProxyRequests Off
ProxyPreserveHost On
<VirtualHost *:80>
  ServerName www.public_sonar.com
  ServerAdmin admin@somecompany.com
  ProxyPass / http://private_sonar_host:sonar_port/
  ProxyPassReverse / http://www.public_sonar.com/
  ErrorLog logs/somecompany/sonar/error.log
  CustomLog logs/somecompany/sonar/access.log common
</VirtualHost>

Apache configuration is going to vary based on your own application's requirements and the way you intend to expose SonarQube Community Build to the outside world. If you need more details about Apache HTTPd and mod_proxy, please see https://httpd.apache.org.

Using Nginx

We assume that you've already installed Nginx, that you are using a Virtual Host for www.somecompany.com and that SonarQube Community Build is running and available on http://sonarhost:sonarport/.

At this point, edit the Nginx configuration file. Include the following to expose SonarQube Community Build at http://www.somecompany.com/:

# the server directive is Nginx's virtual host directive
server {
  # port to listen on. Can also be set to an IP:PORT
  listen 80;
  # sets the domain[s] that this vhost server requests for
  server_name www.somecompany.com;
  location / {
    proxy_pass http://sonarhost:sonarport;
  }
}

Nginx configuration will vary based on your own application's requirements and the way you intend to expose SonarQube Community Build to the outside world. If you need more details about Nginx, please see https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/.

Note that you may need to increase the max URL length since SonarQube Community Build requests can have URLs longer than 2048.

Using IIS on Windows

Using IIS on Windows, you can create a website that acts as a reverse proxy and access your SonarQube Community Build instance over SSL.

Prerequisites

Creating an IIS website

  1. In the IIS Manager, select Your machine > Sites > Add Website...
  2. Under Site name, enter a name for your website.
  3. Under Content Directory > Physical path, select a physical path for your website’s folder. Based on the default IIS website, we recommend creating a %SystemDrive%\inetpub\wwwroot_sonarqube folder and using it as a physical path.
  4. In Binding, select Type > https.
  5. For Host name, enter the hostname you will use to access SonarQube.
  6. Under SSL certificate, select an SSL certificate.
  7. Click OK.

Using your IIS website as a reverse proxy

Once you’ve created your website using the IIS Manager, you can use the URL Rewrite extension to use that website as a reverse proxy.

  1. From the IIS Manager home page, select your website and open URL Rewrite.
  2. Click Add Rule(s) to create a new rule.
  3. Select Reverse Proxy from the list of templates.
  4. Enter the destination server URL. It can be localhost:9000 or a remote server.
  5. Click OK to create the rule.

The URL Rewrite page now displays a reverse proxy inbound rule.

Adding the HTTP_X_FORWARDED_PROTO server variable

Using the URL Rewrite module, you can create a server variable to handle the HTTP_X_FORWARDED_PROTO header and pass it to SonarQube. See the HTTPS Configuration section on this page for more information on that server variable.

From the URL Rewrite page:

  1. Click View Server Variables. This opens the Allowed Server Variables page.
  2. To add a server variable, click Add..., enter HTTP_X_FORWARDED_PROTO in the field and click OK. The server variable is now displayed on the Allowed Server Variables page.
  3. Click Back to Rules to go to the URL Rewrite rules list.
  4. Select the reverse proxy inbound rule for your website. Under Inbound Rules, click Edit.
  5. Expand the Server variables section of the rule definition.
  6. Add the HTTP_X_FORWARDED_PROTO server variable and give it the value https.
  7. Apply the changes.

SonarQube can now be accessed over SSL.

If SAML authentication is used

For SAML through IIS, you must perform the following additional steps:

  1. Make sure the host headers are preserved. This is set at the IIS server level, by executing the following command:
    %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost
    You should then see an output that says something like:
    Applied configuration changes to section "system.webServer/proxy" for "MACHINE/WEBROOT/APPHOST" at configuration commit path "MACHINE/WEBROOT/APPHOST"
  2. Disable the Reverse rewrite host in the response headers as follows:
    • At the server level in IIS, go to Application Request Routing > Server proxy settings.
    • Uncheck the box Reverse rewrite host in response headers.
    • Apply the change.
    • Restart IIS.

Checking that the connection is enabled

With your SonarQube instance and your IIS website running, open the IIS Manager and click the link under Your website > Browse Website > Browse, or enter the website’s URL in a browser. You should see the login or home page of your SonarQube instance.

Next steps

You can configure your SonarQube instance to only accept traffic from your reverse proxy, by adding the following line to the sonar.properties file:

sonar.web.host=127.0.0.1

Another option is to use the Windows Firewall to only accept traffic from localhost.

Resources

The setup described here is inspired by this Configure SSL for SonarQube on Windows blog post.

HTTPS configuration

# the server directive is Nginx's virtual host directive
server { 
 # port to listen on. Can also be set to an IP:PORT 
 listen 443 ssl;
 ssl_certificate ${path_to_your_certificate_file};
 ssl_certificate_key ${path_to_your_certificate_key_file};
 location / {
   proxy_pass ${address_of_your_sonarqube_instance_behind_proxy};
   proxy_set_header Host $host;
   proxy_set_header X-Forwarded-For $remote_addr;
   proxy_set_header X-Forwarded-Proto https;
 }
}

Forward SonarQube Community Build custom headers

SonarQube Community Build adds custom HTTP headers. The reverse proxy should be configured to forward the following headers:

  • SonarQube-Authentication-Token-Expiration
    This header is added to a web service response when using tokens to authenticate. Forwarding this header is not required for the SonarQube Community Build features to work properly.
  • Sonar-MD5
    This header is used to verify the integrity of the plugins downloaded by the scanner. You must forward this header to successfully execute analyses that use plugins.

Secure your network

To further lock down the communication in between the reverse proxy and SonarQube Community Build, you can define the following network rules:

Protocol


SourceDestinationPortdefault
TCPReverse ProxySonarQube Community Buildsonar.web.port9000
TCPSonarQube Community BuildSonarQube Community Buildsonar.search.port9001
TCPSonarQube Community BuildSonarQube Community Buildsonar.es.portrandom

You can further segment your network configuration if you specify a frontend network and keep Elasticsearch restricted to the loopback NiC.

NetworkParameterDescriptiondefault
Frontendsonar.web.hostFrontend HTTP Network0.0.0.0
Elasticsearchsonar.search.hostElasticsearch Network127.0.0.1

Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License