romano
February 3, 2021, 9:51am
1
Hello dear sentry team,
with the current build i was unable to limit the open port 9000 to localhost for the onpremise self hosted sentry.
I’m using a nginx outside of docker in order to expose the app to the outside world.
Version: 21.1.0
I tried the following:
sudo lsof -i -P -n | grep LISTEN
show:
docker-pr 959431 root 4u IPv4 6250422 0t0 TCP *:9000 (LISTEN)
This port should be limited to 127.0.0.1
My outside nginx:
location / {
proxy_pass http://localhost:9000 ;
add_header Strict-Transport-Security “max-age=31536000”;
}
Which works fine.
I manipulated the following files which had no effect at all:
docker-compose.yml
nginx:
<< : *restart_policy
ports:
‘127.0.0.1:$SENTRY_BIND:80/tcp’
.env
SENTRY_BIND=127.0.0.1:9000
sentry/sentry.conf.py
##############
Web Server
##############
SENTRY_WEB_HOST = “127.0.0.1”
SENTRY_WEB_PORT = 9000
I tried all of these approaches seperately . Especially the sentry/sentry.conf.py looked exactly what i was looking for but the result was always:
sudo lsof -i -P -n | grep LISTEN
show:
docker-pr 959431 root 4u IPv4 6250422 0t0 TCP *:9000 (LISTEN)
I couldnt find any documentation and just some mentions on the internet where people had similar issues like:
github.com/getsentry/onpremise
Here the last comment is unfortunately " please keep this discussion over at the forum - couldnt find anything related here.
Am i doing something wrong or is this a potential bug?
BYK
February 3, 2021, 10:33am
2
All you need to do is setting SENTRY_BIND
to 127.0.0.1:9000
and leave everything else intact. That should work.
romano
February 3, 2021, 11:01am
3
Thanks for the quick response.
I did this again. Unfortunately it doesnt do the trick.
root@sentry:/usr/sentry/onpremise# cat .env
COMPOSE_PROJECT_NAME=sentry_onpremise
SENTRY_EVENT_RETENTION_DAYS=90
# You can either use a port number or an IP:PORT combo for SENTRY_BIND
# See https://docs.docker.com/compose/compose-file/#ports for more
SENTRY_BIND=127.0.0.1:9000
#SENTRY_BIND=127.0.0.1:9000
SENTRY_IMAGE=getsentry/sentry:21.1.0
SNUBA_IMAGE=getsentry/snuba:21.1.0
RELAY_IMAGE=getsentry/relay:21.1.0
SYMBOLICATOR_IMAGE=getsentry/symbolicator:0.3.2
root@sentry:/usr/sentry/onpremise# sudo lsof -i -P -n | grep LISTEN
docker-pr 1521881 root 4u IPv4 11143615 0t0 TCP *:9000 (LISTEN)
Port is still open. Is this then a potential bug?
BYK
February 3, 2021, 11:16am
4
Have you actually tried to access the port from an external network though? Even if this is a bug, it is a bug with Docker or Docker Compose.
romano
February 3, 2021, 12:58pm
5
Yeah, i just tried external access - the port is unfortunately open.
In order to restart the system after configuring it,
I did:
docker-compose restart
Do i have to do something else maybe?
If not, any idea how to close this on docker end or to whom should I report this then?
Thanks a lot for your help!
romano
February 3, 2021, 2:24pm
6
Extra question here: With the 9000 exposed, do you consider this in any way a security risk? (as this is standard behavior for sentry onpremise)
Thanks again
BYK
February 4, 2021, 12:04pm
7
Probably here: Sign in to GitHub · GitHub
Just to note, we are following what the docs say here: Compose file version 3 reference | Docker Docs
Not really as we expect the Sentry instance to be protected via user accounts.
Sorry you are having trouble around this. Maybe upgrading your Docker and Docker Compose versions would fix the issue?
romano
February 24, 2021, 5:44pm
8
We will try to update docker and docker compose in the next weeks.
I will update you here if this makes any difference.
Thanks for the quick help!
1 Like
system
Closed
May 25, 2021, 5:44pm
9
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.