Setup Sentry on another SSL port than 443 with docker


#1

Hi everyone !

I’m actually struggling with Sentry configuration. I want to make it run with HTTPS, so, I used nginx as reverse-proxy.

It works very well until I try to make it run on another port than the default 443.

Here important parts of my configuration files:

docker-compose.yml:

...
  nginx:
    image: nginx:alpine
   ...
    ports:
      - "49080:80"
      - "49443:443"
    depends_on:
      - web

.../site-enabled/sentry_project:

  server {
    listen   80;
    server_name some.example.com;

    location / {
      if ($request_method = GET) {
        rewrite  ^ https://$host:49443$request_uri? permanent;
      }
      return 405;
    }
  }

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name some.example.com;

  ssl_certificate ...
  ssl_certificate_key ...

  access_log /var/log/nginx/sentry_project.log;
  charset utf-8;

  location / {
    include proxy.conf;
    proxy_cache_bypass $http_upgrade;
    proxy_pass  http://web:9000;
  }
}

So, with this configuration, when I run my docker-compose, I see that my nginx redirection work well, my request is redirected into the web service. Giving me this log:

web_1        | XXX.XX.X.10 - - [05/Apr/2018:17:01:00 +0000] "GET / HTTP/1.1" 302 487 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

But then, I’m redirected to the https://some.example.com/auth/login. But without the port 49443 specification.

I’ve tried to setup the system.url-prefix: 'https://some.example.com:49443' but it didn’t resolve the issue.

Also, if I map my nginx service ports with "443:443" I have no trouble. So, I suppose my problem must be an environment variable to overwrite.

Thank you, for reading me :slight_smile:


#2

I’m trying to setup a similar system and facing the same error. I set system.url-prefix to “h.ttps://xxxxxxxxx.com:8080” but if I visit in the browser I’m redirected to “h.ttps://xxxxxxxxx.com/auth/login” instead of “h.ttps://xxxxxxxxx.com:8080/auth/login”. I checked that the system.url-prefix is properly set by running “sentry config get system.url-prefix” inside the web container which return the correct “h.ttps://xxxxxxxxx.com:8080”. If I let nginx run on port 443 instead of 8080, Sentry is working perfectly fine.

(I was required to add a . into URLs in order to post this)

Please find my entire setup here:

docker-compose.yml

# NOTE: This docker-compose.yml is meant to be just an example of how
# you could accomplish this on your own. It is not intended to work in
# all use-cases and must be adapted to fit your needs. This is merely
# a guideline.

# See docs.getsentry.com/on-premise/server/ for full
# instructions

version: '2'
services:
  base:
    restart: unless-stopped
    build: .
    environment:
      # Run `docker-compose run web config generate-secret-key`
      # to get the SENTRY_SECRET_KEY value.
      # SENTRY_SECRET_KEY: ''
      SENTRY_MEMCACHED_HOST: memcached
      SENTRY_REDIS_HOST: redis
      SENTRY_POSTGRES_HOST: postgres
      SENTRY_EMAIL_HOST: smtp
      SENTRY_SECRET_KEY: ****
    volumes:
      - ./data/sentry:/var/lib/sentry/files

  smtp:
    restart: unless-stopped
    image: tianon/exim4

  memcached:
    restart: unless-stopped
    image: memcached:1.4

  redis:
    restart: unless-stopped
    image: redis:3.2-alpine

  postgres:
    restart: unless-stopped
    image: postgres:9.5
    volumes:
      - ./data/postgres:/var/lib/postgresql/data

  web:
    restart: unless-stopped
    extends: base
    links:
      - redis
      - postgres
      - memcached
      - smtp

  cron:
    restart: unless-stopped
    extends: base
    command: run cron
    links:
      - redis
      - postgres
      - memcached
      - smtp

  worker:
    restart: unless-stopped
    extends: base
    command: run worker
    links:
      - redis
      - postgres
      - memcached
      - smtp

  nginx-proxy:
    restart: unless-stopped
    image: nginx
    ports:
      - "8080:443"
    links:
      - web
    volumes:
      - ./data/nginx/nginx.conf:/etc/nginx/conf.d/default.conf
      - ./data/nginx/cert.crt:/etc/nginx/cert.crt
      - ./data/nginx/cert.key:/etc/nginx/cert.key

config.yml

# While a lot of configuration in Sentry can be changed via the UI, for all
# new-style config (as of 8.0) you can also declare values here in this file
# to enforce defaults or to ensure they cannot be changed via the UI. For more
# information see the Sentry documentation.

###############
# Mail Server #
###############

# mail.backend: 'smtp'  # Use dummy if you want to disable email entirely
# mail.host: 'localhost'
# mail.port: 25
# mail.username: ''
# mail.password: ''
# mail.use-tls: false
# The email address to send on behalf of
# mail.from: 'root@localhost'

# If you'd like to configure email replies, enable this.
# mail.enable-replies: false

# When email-replies are enabled, this value is used in the Reply-To header
# mail.reply-hostname: ''

# If you're using mailgun for inbound mail, set your API key and configure a
# route to forward to /api/hooks/mailgun/inbound/
# mail.mailgun-api-key: ''

###################
# System Settings #
###################

# If this file ever becomes compromised, it's important to regenerate your a new key
# Changing this value will result in all current sessions being invalidated.
# A new key can be generated with `$ sentry config generate-secret-key`
# system.secret-key: 'changeme'

system.url-prefix: 'https://xxx.xxxxxx.xxx:8080'

# The ``redis.clusters`` setting is used, unsurprisingly, to configure Redis
# clusters. These clusters can be then referred to by name when configuring
# backends such as the cache, digests, or TSDB backend.
# redis.clusters:
#   default:
#     hosts:
#       0:
#         host: 127.0.0.1
#         port: 6379

################
# File storage #
################

# Uploaded media uses these `filestore` settings. The available
# backends are either `filesystem` or `s3`.

# filestore.backend: 'filesystem'
# filestore.options:
#   location: '/tmp/sentry-files'

# filestore.backend: 's3'
# filestore.options:
#   access_key: 'AKIXXXXXX'
#   secret_key: 'XXXXXXX'
#   bucket_name: 's3-bucket-name'

Would be great if one of the Sentry gurus could take a look into it :slight_smile:


#3

Can you also post your nginx config? My hunch is that nginx is rewriting the redirect here. You should be able to verify this by curling the Sentry web container directly and seeing what the Location header is when it tries to redirect.


#4

Thanks a lot for your help Matt!

I mapped Sentry’s port 9000 to my local port 9000 and opened http://localhost:9000 in Chrome. These are the headers:

Here’s the nginx config:

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
server {
        # SSL configuration
        listen 443 ssl default_server;
        ssl_certificate /etc/nginx/cert.crt;
        ssl_certificate_key /etc/nginx/cert.key;
        ssl on;
        ssl_session_cache builtin:1000  shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        gzip off;

        server_name _;

        # Proxy for sentry (container web)
        location / {
          proxy_pass              http://web:9000;
          proxy_read_timeout      90;
          proxy_set_header        Host $host;
          proxy_set_header        X-Real-IP $remote_addr;
          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header        X-Forwarded-Host $host:$server_port;
          proxy_set_header        X-Forwarded-Proto $scheme;
        }
}

#5

I also just tried to run nginx on port 8080 instead of 443 with the same result. As nginx does not “know” about port 443, I’m not sure if nginx causes the redirect to port 443


#6

Hi,

Thank’s all for your interest on the question.

@matt I didn’t understand how nginx could be the root of the problem? As I say in my post, when I use a docker-compose, the request goes through nginx and are correctly redirected into the Sentry instance. And THEN, that instance perform a redirect on the request.