diff options
| author | Tobias Trabelsi <64127335+tobias-trabelsi-sonarsource@users.noreply.github.com> | 2021-11-18 12:24:45 +0100 |
|---|---|---|
| committer | sonartech <sonartech@sonarsource.com> | 2021-11-18 20:03:33 +0000 |
| commit | 8297ae1c8e625f812c28871d08423d73c03baa6f (patch) | |
| tree | 3e484de640048cdf5ad2f20dad273012dd3d1df0 /server | |
| parent | 3e835d99cd4e16a1308399ef2aab28b58d7cc63a (diff) | |
| download | sonarqube-8297ae1c8e625f812c28871d08423d73c03baa6f.tar.gz sonarqube-8297ae1c8e625f812c28871d08423d73c03baa6f.zip | |
[DOCS] SONAR-15626 added documentation about the network topology and recommendations
Diffstat (limited to 'server')
| -rw-r--r-- | server/sonar-docs/src/pages/setup/operate-cluster.md | 20 | ||||
| -rw-r--r-- | server/sonar-docs/src/pages/setup/operate-server.md | 17 |
2 files changed, 37 insertions, 0 deletions
diff --git a/server/sonar-docs/src/pages/setup/operate-cluster.md b/server/sonar-docs/src/pages/setup/operate-cluster.md index 398541291a6..da0b401f4b0 100644 --- a/server/sonar-docs/src/pages/setup/operate-cluster.md +++ b/server/sonar-docs/src/pages/setup/operate-cluster.md @@ -177,6 +177,26 @@ Property | Description | Default | Required When you're using the SonarSource Docker images, the truststore/keystore should be provided as volumes. On Kubernetes, you need to create a new Secret from the truststore/keystore and provide the name to the Helm chart. +## Secure your Network + +To further lock down the communication in between the nodes in your SonarQube Cluster, you can define the following network rules: + +Protocol | Source | Destination | Port | default +---|---|---|---|--- +TCP | Reverse Proxy | App Node | `sonar.web.port` | 9000 +TCP | App Node | Search Node | `sonar.cluster.node.search` | 9001 +TCP | Search Node | Search Node | `sonar.cluster.node.es.port` | 9002 +TCP | App Node | App Node | `sonar.cluster.node.port` | 9003 + +you can further segrement your network configuration if you specify a frontend, a backend and a search network. + +Network | Parameter | Description +---|---|--- +Frontend | `sonar.web.host` | Frontend HTTP Network +Backend | `sonar.cluster.node.host` | Backend App to App Network +Backend | `sonar.cluster.search.hosts` | Backend App to Search Network +Search | `sonar.cluster.node.search.host` | Backend Search to Search Network + ## Limitations * Cluster downtime is required for SonarQube upgrades or plugin installations. * All application nodes must be stopped when installing, uninstalling, or upgrading a plugin. diff --git a/server/sonar-docs/src/pages/setup/operate-server.md b/server/sonar-docs/src/pages/setup/operate-server.md index 5c4e49f8f1a..52d3574b25d 100644 --- a/server/sonar-docs/src/pages/setup/operate-server.md +++ b/server/sonar-docs/src/pages/setup/operate-server.md @@ -198,3 +198,20 @@ server { } } ``` + +## Secure your Network + +To further lock down the communication in between the reverse proxy and SonarQube, you can define the following network rules: + +Protocol | Source | Destination | Port | default +---|---|---|---|--- +TCP | Reverse Proxy | SonarQube | `sonar.web.port` | 9000 +TCP | SonarQube | SonarQube | `sonar.search.port` | 9001 +TCP | SonarQube | SonarQube | `sonar.es.port` | random + +you can further segrement your network configuration if you specify a frontend network and keep Elasticsearch restricted to the loopback NiC. + +Network | Parameter | Description | default +---|---|---|--- +Frontend | `sonar.web.host` | Frontend HTTP Network | 0.0.0.0 +Elasticsearch | `sonar.search.host` | Elasticsearch Network | 127.0.0.1
\ No newline at end of file |