Sentry on-premise ssl with Amazon CloudFront

Hello, I have set up my sentry on-premise using docker-compose. without SSL it is running smoothly. But then I set up Amazon CloudFront as a reverse proxy, to enable SSL for my sentry setup. Using HTTPS login page shows ok but when I tried to log in it shows me CSRF Verification Failed

So far following changes I have made in my sentry setup

  1. In config.yml I have added following line
    system.url-prefix: 'https://sentry.company-domain.com'

  2. In sentry.conf.py I have made following changes in SSL/TLS section
    SECURE_PROXY_SSL_HEADER = (‘HTTP_X_FORWARDED_PROTO’, ‘https’)
    SESSION_COOKIE_SECURE = True
    CSRF_COOKIE_SECURE = True
    SOCIAL_AUTH_REDIRECT_IS_HTTPS = True

  3. In nginx.conf I have added following line in server

    server {
        listen 80;
    
     	location /api/store/ {
                         proxy_set_header Host $http_host; 
                         proxy_set_header X-Forwarded-Proto $scheme;
                         proxy_set_header X-Forwarded-For $remote_addr;
     		proxy_pass http://relay;
     	}
     	location ~ ^/api/[1-9]\d*/ {
                         proxy_set_header Host $http_host; 
                         proxy_set_header X-Forwarded-Proto $scheme;
                         proxy_set_header X-Forwarded-For $remote_addr;
     		proxy_pass http://relay;
     	}
     	location / {
                         proxy_set_header Host $http_host; 
                         proxy_set_header X-Forwarded-Proto $scheme;
                         proxy_set_header X-Forwarded-For $remote_addr;
     		proxy_pass http://sentry;
     	}
     }
    

Can someone help me to get it right

Why this change?

Later I was trying to use Non SSL version, so I set it on False. But while I was trying Amazon CloudFront reverse proxy it was True, I have updated the topic

Ah, okay then.

Your issue seems a lot like this one: CSRF failures after Nginx introduction · Issue #447 · getsentry/onpremise · GitHub

And the solution to that was setting proxy_redirect off and using $host instead of $http_host (honestly don’t know the differences there so you can try these individually)