How to setup SSL/HTTPS for Sentry


#1

I need some guidance on setting up ssl for Sentry (access the dashboard via https).

Are there any Sentry configuration options for achieving this without using nginx? It seems most people are using nginx but Sentry documentation doesn’t say that nginx (or something similar) is required for SSL. I already tried SENTRY_USE_SSL=1 and individually setting the variables below, however if I set the root_url to start with https it doesn’t work (I can’t access the dashboard using my domain name). I also have an AWS load balancer in my deployment but I haven’t been able to do https to the load balancer and http to sentry ssl. Any general guidance would be much appreciated!

The code below is also confusing to me, wouldn’t SENTRY_USE_SSL=1 imply the variable is set to true? Then why in the python file the if statement checks if it is false?

# If you're using a reverse SSL proxy, you should enable the X-Forwarded-Proto
    # header and set `SENTRY_USE_SSL=1`
if env('SENTRY_USE_SSL', False):
    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
    SESSION_COOKIE_SECURE = True
    CSRF_COOKIE_SECURE = True
    SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

Thanks in advance!


#2

I’m not an expert, but as far as I understand Sentry uses the Django web framework, which on its own cannot do SSL. So you need an server such as Nginx in front of it. The way it then works is that requests come to Nginx, which passes them on to Django.

The env('SENTRY_USE_SSL', False) statement means "read the SENTRY_USE_SSL environment variable. If it is not set, return False". So it’s not checking if it is False; Rather, False is the default value. If you have SENTRY_USE_SSL=1, then the value will be 1 and the body of the if will be executed.


#3

I run Sentry OSS on-prem so I have some experience :slight_smile: Huge thanks to Sentry team for letting us do it!

When you start Sentry web server process (sentry run web), it starts Gunicorn.
It’s a general-purpose web server for Python apps.
It seems to support SSL!
You can set its options in SENTRY_WEB_OPTIONS in sentry.conf.py.
It parses requests and calls Django framework code with the parsed data.
Sentry is an app inside Django.
It handles the requests.

Gunicorn developers recommend using a reverse proxy web server in front of it.
They mention slow clients but don’t go into details about it.
Luckily, there is a similar web server for Ruby called Unicorn.
And there is a very good explanation of why you need a reverse proxy in front of it.
It can be applied to Gunicorn as well.

So, the main reason you’d want NginX in front of Sentry is slow clients, not SSL.
NginX can do both though.

The company I work for runs a custom build of NginX called WebKaos in front of every web app we deploy. It’s good. You can use it too!
The company I work for uses bare metal servers though, so I can’t help you figure out AWS setup :frowning:


#4

fwiw sentry run web does not use gunicorn, it uses uWSGI which can handle slow clients and whatnot all just fine.

Though I’d still just recommend absolutely using nginx or haproxy to terminate TLS since you most likely need a load balancer in front of multiple processes anyways.


#5

Also, you could use AWS’s load balancer, I don’t see why you couldn’t. But according to your configuration in SECURE_PROXY_SSL_HEADER, we’d be looking for the X-Forwarded-Proto header to be set to the value of https when the load balancer proxies the request. If it’s another header being set, you can just change this to match what is expected.


#6

Wow. I don’t know why I thought that it was running Gunicorn. It absolutely does run uWSGI. Cool.