Sentry behind reverse proxy

Is it possible to put sentry behind a reverse proxy and serve from https://www.mydomain.com/sentry . I cannot get sentry to work from /sentry. Has anyone did this ? I have seen a github gist on it. It looks old and not working for me.

I am trying to set the sentry behind nginx reverse proxy. like so, https://stats.ourdomain.de/sentry

    upstream relay {
        server relay:3000;
    }

    upstream sentry {
        server web:9000;
    }

    server {
                listen 80;
                server_name stats.ontheweb.de;
                return 301 https://stats.ontheweb.de$request_uri;
        }

        server {
                listen 443 ssl;
                ssl_certificate /etc/nginx/stats.ontheweb.de.pem;
                ssl_certificate_key /etc/nginx/stats.ontheweb.de.key;

        location /api/store/ {
            proxy_pass http://relay;
        }
        location ~ ^/api/[1-9]\d*/ {
            proxy_pass http://relay;
        }
        location /sentry {
            proxy_pass http://sentry;
            proxy_redirect    off;

            proxy_set_header    Host    $host;
            proxy_set_header    X-Real-IP    $remote_addr;
            proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Proto    $scheme;
        }
    }
}

Then modified the config.yml file with

system.url-prefix: 'http://stats.ontheweb.de/sentry'
system.internal-url-prefix: 'http://web:9000'

enabled the section in sentry.conf.py

# If you're using a reverse SSL proxy, you should enable the X-Forwarded-Proto
# header and enable the settings below

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

# End of SSL/TLS settings

With the above changes, if I access from firefox browser https://stats.ontheweb.de/sentry, I get the following page that says

Please wait while we load an obnoxious amount of JavaScript.

You may need to disable adblocking extensions to load Sentry.

If I access from microsoft edge for linux, then it changes the browser url to https://sentry.ejar.sa/auth/login/sentry/ and gives me 403.

Can someone please tell me what change should I do more to get it work ?

1 Like

I noticed a tweet sort of about this today, that links to a gist. Relevant?

Do you have an adblocker? Can you disable it and try again? I think the one I’ve seen mentioned matches on sentry so try a different name in the URL path?

No, I do not have an ad-blocker. That is what puzzles me. I have a nordvpn addon on the browser.

Does it work with nordvpn disabled? Success with MS Edge suggests it will …

I will try to remove the nordvpn addon removed.
I do not have success with MS edge but I see the redirects happen and ultimately a 403 is returned.

I removed the nordvpn addon.

nginx                                       | 195.117.120.198 - - [15/Jul/2021:21:55:17 +0000] "GET /sentri HTTP/1.1" 301 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0"
nginx                                       | 195.117.120.198 - - [15/Jul/2021:21:55:17 +0000] "GET /sentri/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0"
nginx                                       | 195.117.120.198 - - [15/Jul/2021:21:55:17 +0000] "GET /auth/login/sentri/ HTTP/1.1" 403 146 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0"
nginx                                       | 2021/07/15 21:55:17 [error] 26#26: *11 "/etc/nginx/html/auth/login/sentri/index.html" is forbidden (13: Permission denied), client: 195.117.120.198, server: , request: "GET /auth/login/sentri/ HTTP/1.1", host: "stats.ontheweb.de"
nginx                                       | 2021/07/15 21:55:18 [error] 26#26: *11 open() "/etc/nginx/html/favicon.ico" failed (13: Permission denied), client: 195.117.120.198, server: , request: "GET /favicon.ico HTTP/1.1", host: "stats.ontheweb.de", referrer: "https://stats.ontheweb.de/auth/login/sentri/"
nginx                                       | 195.117.120.198 - - [15/Jul/2021:21:55:18 +0000] "GET /favicon.ico HTTP/1.1" 403 146 "https://stats.ontheweb.de/auth/login/sentri/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0"

I am not sure why the nginx is looking for files in /etc/nginx/html/ usually that was /usr/share/nginx/html. The files are obviously not in /etc/nginx/html

If I put location / {...} instead of location /sentri {....} in nginx. Most of the stuff works except one request to POST /sentri/api/1/envelope/?sentry_key=e6700cdcdbba412b957fe11b556c9e1f&sentry_version=7. It is because of the system.url-prefix: 'https://stats.ontheweb.de/sentri. /sentri is being prepended to the /api/1/envelope/ request uri. In short, I can get it to work with www.mydomain.com behind reverse proxy but not with www.mydomain.com/sentry. The latter is the one I wanted.
I am using sentry onpremise version 21.2.0.

Same problem, can someone please help us? This information is missing in documentation.