Enabling HTTPS for Sentry Self-Hosted

Have a nice day

I’m trying to enable HTTPS for my brand-new-sentry (Sentry 21.4.0.dev0b72bda8)
What I’m already did:
nginx/nginc.conf:
changed proxy_set_header X-Forwarded-Proto https; (instead $shema)
sentry/ sentry.conf.py:
uncommented ssl\tls section
..env:
SENTRY_USE_SSL=1

But It still redirecting me to http with alert that connection is unsecure.
What did I forget, help me please?

Thank you,
Best regards

This is not enough. You’ll also need to set your system.url-prefix for the HTTPS URL. You may wanna check https://develop.sentry.dev/self-hosted/#productionalizing

Thank you, added system.url-prefix with https://, but still unavailable with HTTPS by this URL from prefix.
And another question - I have different URLs for private network and for Internet network, should I add two different url-prefixes?
Thank you for Productionalizing link, but at this moment I don’t need load balancing, utilization is low enough to use sentry by itself. But SSL even with clear sentry (without additional LB) did not works for me :frowning:

A small clarification, now sentry in DNS is created at two different addresses:
sentry.local.address to which I address on port 9000 and on this address all internal clients should send reports
and
sentry.global.address.com (this is not a real address, just for understanding) to which external clients will send reports.

And after that I’m using https://sentry.global.address.com in system.url-prefix, so how internal clients can achieve my internal HTTPS address with only global address in config?

And one additional thing: after changing all settings I’m getting error “CSRF Failed: Referer checking failed - Referer is insecure while host is secure.” when trying to create new project on http://sentry.local.address:9000

This was the point though. The setup we offer at the onpremise repo is not designed to do SSL termination or deal with that so our recommendation is to add another layer on top of it, be it a big LB or just a simple Nginx instance to handle TLS termination.

You cannot have two different url-prefixes and Sentry expects to be available under a single, canonical URL. It does not have the notion of internal/external network separation.

This is more of a corporate networking issue and unfortunately I cannot offer any help or suggestions. The only thing I can tell you is that Sentry expects to be available under a single, unique URL as mentioned above so your setup will have to have some workarounds for this fact.

This again indicates a problem in your networking/DNS setup which we cannot really help with from here.

But I thought that Sentry already have nginx? Or it is using for some internal tasks and I can not use it for SLL termination, so I should have use additional instance of nginx?

And my old instance of sentry (9.1.1) is available over HTTPS, something was changed with SSL-termination?
upd: I think it have had one domain name for external and internal networks, so maybe if I use the same way It should work

Yup, we use it for some internal routing and we do not recommend using it for SSL termination.

Not really. Need to know what your setup looks like to say anything on this.

Ok, I get it, thank you.
But If I want to terminate SSL with internal nginx, what should I change except additional strings like server {listen 443 ssl} inside nginx config?

You should not do this, this is what we’ve been trying to convey. Treat the internal nginx as internal and do not change it’s configuration unless you are exactly sure what you are doing.

Well, anyway I will use internal nginx to terminate my http-session, but default configuration terminating http, and my configuration will terminate https.
I’m understanding that you are convey this way of using internal nginx, but I don’t see any particular need to create additional hop like external nginx → internal nginx, if I can’t skip internal and will use it anyway.
About my question: I have added my SSL-keys to nginx-container, fixed nginx.conf and fixed sentry port inside docker-compose and conf.yml. Https works normally, thank you.