Events get forbidden status on Kubernetes

I’ve set up Sentry 20.12.1 on Kubernetes using this Helm chart: https://github.com/sentry-kubernetes/charts
Submitting events get:
[WARNING] django.security.csrf: Forbidden (Referer checking failed - no Referer.): /api/2/store/ (status_code=403 request=<WSGIRequest: POST '/api/2/store/'>)
I’m using my own ingress, Istio. What is the actual problem causing this forbidden status?

You need to be using Relay and Nginx in front of it do direct these requests to Relay.

I managed to solve it using Istio. In case anyone using Istio and running into this problem, I used this VirtualService:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: sentry-web
  namespace: sentry
spec:
  hosts:
  - "mydomain"
  gateways:
  - 'my-gateway'
  http:
  - match:
    - uri:
        exact: /api/store/
    route:
    - destination:
        port:
          number: 3000
        host: sentry-relay
  - match:
    - uri:
        regex: .*/api/.*
    route:
    - destination:
        port:
          number: 3000
        host: sentry-relay
  - route:
    - destination:
        port:
          number: 9000
        host: sentry-web

This is a lazy translation of this: Event submission rejected by CSRF

This is incorrect, see https://github.com/getsentry/onpremise/blob/9a80a19fd1ffbddfe795f51fc620ce012fca15db/nginx/nginx.conf#L68

You need to direct api/0 to sentry-web as usual.

This should also be prefix not exact: https://github.com/getsentry/onpremise/blob/9a80a19fd1ffbddfe795f51fc620ce012fca15db/nginx/nginx.conf#L65

Hello! Changed to this:

http:
  - match:
    - uri:
        prefix: /api/store/
    route:
    - destination:
        port:
          number: 3000
        host: sentry-relay
  - match:
    - uri:
        regex: ^/api/[1-9]\d*/store/
    route:
    - destination:
        port:
          number: 3000
        host: sentry-relay

Am I missing any case?

I think this is fine now :slight_smile:

Thank you very much for your advice. :grin:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.