]> source.dussan.org Git - sonarqube.git/commitdiff
projects / sonarqube.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3e835d9)
[DOCS] SONAR-15626 added documentation about the network topology and recommendations
authorTobias Trabelsi <64127335+tobias-trabelsi-sonarsource@users.noreply.github.com>
Thu, 18 Nov 2021 11:24:45 +0000 (12:24 +0100)
committersonartech <sonartech@sonarsource.com>
Thu, 18 Nov 2021 20:03:33 +0000 (20:03 +0000)
server/sonar-docs/src/pages/setup/operate-cluster.md patch | blob | history
server/sonar-docs/src/pages/setup/operate-server.md patch | blob | history

diff --git a/server/sonar-docs/src/pages/setup/operate-cluster.md b/server/sonar-docs/src/pages/setup/operate-cluster.md
index 398541291a681fb809838ec6432f6ca3c3298554..da0b401f4b0d3bdd594a6f02d22ab6f8e3f50dda 100644 (file)
--- a/server/sonar-docs/src/pages/setup/operate-cluster.md
+++ b/server/sonar-docs/src/pages/setup/operate-cluster.md
@@ -177,6 +177,26 @@ Property  | Description | Default | Required
 When you're using the SonarSource Docker images, the truststore/keystore should be provided as volumes. 
 On Kubernetes, you need to create a new Secret from the truststore/keystore and provide the name to the Helm chart.
 
+## Secure your Network
+
+To further lock down the communication in between the nodes in your SonarQube Cluster, you can define the following network rules:
+
+Protocol | Source | Destination | Port | default
+---|---|---|---|---
+TCP | Reverse Proxy | App Node | `sonar.web.port` | 9000
+TCP | App Node | Search Node | `sonar.cluster.node.search` | 9001
+TCP | Search Node | Search Node | `sonar.cluster.node.es.port` | 9002
+TCP | App Node | App Node | `sonar.cluster.node.port` | 9003
+
+you can further segrement your network configuration if you specify a frontend, a backend and a search network.  
+
+Network | Parameter | Description
+---|---|---
+Frontend | `sonar.web.host`                            | Frontend HTTP Network
+Backend  | `sonar.cluster.node.host`           | Backend App to App Network
+Backend  | `sonar.cluster.search.hosts`     | Backend App to Search Network
+Search   | `sonar.cluster.node.search.host` | Backend Search to Search Network
+
 ## Limitations
 * Cluster downtime is required for SonarQube upgrades or plugin installations.
 * All application nodes must be stopped when installing, uninstalling, or upgrading a plugin.
diff --git a/server/sonar-docs/src/pages/setup/operate-server.md b/server/sonar-docs/src/pages/setup/operate-server.md
index 5c4e49f8f1af40796b5132f1e43424d0f998a700..52d3574b25d5f9a835e3ca039d74745886fd9320 100644 (file)
--- a/server/sonar-docs/src/pages/setup/operate-server.md
+++ b/server/sonar-docs/src/pages/setup/operate-server.md
@@ -198,3 +198,20 @@ server {
   }
 }
 ```
+
+## Secure your Network
+
+To further lock down the communication in between the reverse proxy and SonarQube, you can define the following network rules: 
+
+Protocol | Source | Destination | Port | default
+---|---|---|---|---
+TCP | Reverse Proxy | SonarQube | `sonar.web.port` | 9000
+TCP | SonarQube | SonarQube | `sonar.search.port` | 9001
+TCP | SonarQube | SonarQube | `sonar.es.port` | random
+
+you can further segrement your network configuration if you specify a frontend network and keep Elasticsearch restricted to the loopback NiC.  
+
+Network | Parameter | Description | default
+---|---|---|---
+Frontend       | `sonar.web.host`                      | Frontend HTTP Network | 0.0.0.0
+Elasticsearch  | `sonar.search.host`           | Elasticsearch Network | 127.0.0.1
\ No newline at end of file
Continuous Inspection: https://github.com/SonarSource/sonarqube