Unable to limit port 9000 to localhost

romano · February 3, 2021, 9:51am

Hello dear sentry team,

with the current build i was unable to limit the open port 9000 to localhost for the onpremise self hosted sentry.

I’m using a nginx outside of docker in order to expose the app to the outside world.

Version: 21.1.0
I tried the following:

sudo lsof -i -P -n | grep LISTEN
show:
docker-pr 959431 root 4u IPv4 6250422 0t0 TCP *:9000 (LISTEN)

This port should be limited to 127.0.0.1

My outside nginx:

location / {
proxy_pass http://localhost:9000;
add_header Strict-Transport-Security “max-age=31536000”;
}

Which works fine.

I manipulated the following files which had no effect at all:
docker-compose.yml

nginx:
<< : *restart_policy
ports:

‘127.0.0.1:$SENTRY_BIND:80/tcp’

.env
SENTRY_BIND=127.0.0.1:9000

sentry/sentry.conf.py

##############

Web Server

##############

SENTRY_WEB_HOST = “127.0.0.1”
SENTRY_WEB_PORT = 9000

I tried all of these approaches seperately . Especially the sentry/sentry.conf.py looked exactly what i was looking for but the result was always:

sudo lsof -i -P -n | grep LISTEN
show:
docker-pr 959431 root 4u IPv4 6250422 0t0 TCP *:9000 (LISTEN)

I couldnt find any documentation and just some mentions on the internet where people had similar issues like:

github.com/getsentry/onpremise

Here the last comment is unfortunately " please keep this discussion over at the forum - couldnt find anything related here.

Am i doing something wrong or is this a potential bug?

BYK · February 3, 2021, 10:33am

All you need to do is setting SENTRY_BIND to 127.0.0.1:9000 and leave everything else intact. That should work.

romano · February 3, 2021, 11:01am

Thanks for the quick response.
I did this again. Unfortunately it doesnt do the trick.

root@sentry:/usr/sentry/onpremise# cat .env
COMPOSE_PROJECT_NAME=sentry_onpremise
SENTRY_EVENT_RETENTION_DAYS=90
# You can either use a port number or an IP:PORT combo for SENTRY_BIND
# See https://docs.docker.com/compose/compose-file/#ports for more
SENTRY_BIND=127.0.0.1:9000
#SENTRY_BIND=127.0.0.1:9000
SENTRY_IMAGE=getsentry/sentry:21.1.0
SNUBA_IMAGE=getsentry/snuba:21.1.0
RELAY_IMAGE=getsentry/relay:21.1.0
SYMBOLICATOR_IMAGE=getsentry/symbolicator:0.3.2

root@sentry:/usr/sentry/onpremise# sudo lsof -i -P -n | grep LISTEN

docker-pr 1521881 root 4u IPv4 11143615 0t0 TCP *:9000 (LISTEN)

Port is still open. Is this then a potential bug?

BYK · February 3, 2021, 11:16am

Have you actually tried to access the port from an external network though? Even if this is a bug, it is a bug with Docker or Docker Compose.

romano · February 3, 2021, 12:58pm

Yeah, i just tried external access - the port is unfortunately open.
In order to restart the system after configuring it,
I did:

docker-compose restart

Do i have to do something else maybe?
If not, any idea how to close this on docker end or to whom should I report this then?

Thanks a lot for your help!

romano · February 3, 2021, 2:24pm

Extra question here: With the 9000 exposed, do you consider this in any way a security risk? (as this is standard behavior for sentry onpremise)

Thanks again

BYK · February 4, 2021, 12:04pm

Probably here: https://github.com/docker/compose/issues/new/choose

Just to note, we are following what the docs say here: Compose file version 3 reference | Docker Documentation

Not really as we expect the Sentry instance to be protected via user accounts.

Sorry you are having trouble around this. Maybe upgrading your Docker and Docker Compose versions would fix the issue?

romano · February 24, 2021, 5:44pm

We will try to update docker and docker compose in the next weeks.
I will update you here if this makes any difference.

Thanks for the quick help!