The configuration 'SENTRY_ALLOW_ORIGIN' does not take effect in the 'sentry.conf.py' file

[arrayListTwo]

Self-Hosted Version

24.9.0

CPU Architecture

x86_64

Docker Version

26.1.4

Docker Compose Version

2.27.1

Steps to Reproduce

1、The default CORS policy for sentry is *, and I want to configure it to a specific domain name. 2、According to the document https://develop.sentry.dev/application/config/ in sentry.conf.py configured in the SENTRY_ALLOW_ORIGIN = "http://foo.example", 3、then I executedocker compose downto close the service, re-build and start the service withdocker compose up -d --build` 4、 We find that when we call an api request (' api/4/envelope '), the response header is still: 'access-control-allow-origin: *'

Expected Result

Expect the response header when calling an api request (' api/4/envelope ') to be: access-control-allow-origin: http://foo.example ', that is, the SENTRY_ALLOW_ORIGIN value configured in sentr.conf. py

Actual Result

Event ID

No response

[bijancot]

Hi, It's look like you already following the docs. Did you try to run install.sh again ? if not yet can you try that and share the result after run install.sh ?

Cheers !

[arrayListTwo]

Hi, It's look like you already following the docs. Did you try to run install.sh again ? if not yet can you try that and share the result after run install.sh ?

Cheers !

I haven't rerun install.sh, I can try it and see what happens

[arrayListTwo]

Hi, It's look like you already following the docs. Did you try to run install.sh again ? if not yet can you try that and share the result after run install.sh ? Cheers !

I haven't rerun install.sh, I can try it and see what happens

1. I rerun the 'install.sh' command, which does not meet my expectations, and the response header is still 'access-control-allow-origin: *'
2. After I have configured the value SENTRY_ALLOW_ORIGIN in sentry.conf.py, when logging out of the user in the background management system, I call the interface api/0/auth/ to report a 400 error and respond 'Invalid origin: xxx`
3. I view "Environment" in "Management", and the displayed information is as follows:

[aldy505]

Modifying SENTRY_ALLOW_ORIGIN will only take into effect for the web UI. The /api/4/envelope endpoint is not a UI API, but it's an ingest API which is handled by relay. You can see the nginx route config here: https://github.com/getsentry/self-hosted/blob/8fd24d02312f9fd7990c1ad0808d561c7b4f80b5/nginx/nginx.conf#L85-L87

Those ingest endpoint (the /api/[\d]/envelope route) should correctly return a wildcard for CORS allow origin.

I'm seeing openresty on your Server response header. Can you make sure that the response header is not being overridden by any other load balancer/reverse proxy?

[arrayListTwo]

Modifying SENTRY_ALLOW_ORIGIN will only take into effect for the web UI. The /api/4/envelope endpoint is not a UI API, but it's an ingest API which is handled by relay. You can see the nginx route config here:

self-hosted/nginx/nginx.conf

Lines 85 to 87 in 8fd24d0

location ~ ^/api/[1-9]\d*/ { proxy_pass http://relay; } Those ingest endpoint (the /api/[\d]/envelope route) should correctly return a wildcard for CORS allow origin.

I'm seeing openresty on your Server response header. Can you make sure that the response header is not being overridden by any other load balancer/reverse proxy?

Yes, in the outer layer of the sentry server, there is also an nginx server, so let me make the following analogy based on the actual situation:

1. My server domain name is' http://example.com '
2. The server IP of the 'sentry' service is deployed: '10.198.2.132', and the port exposed by the 'sentry' service is: '9000'

My outer layer 'nginx' is configured as follows:

location /monitor/ {
    proxy_set_header X-Real-IP $remote_addr;
    Proxy_pass http://10.198.2.132:9000/;
}

I'm sentry web UI, configuration root URL for http://example.com/monitor

After the front-end 'vue' program accesses the 'sentry' service, when the exception is reported, the interface '/api/4/envelope' is called, and the response header is' Access-Control-Allow-Origin: * '. I expect the response header to be: Access-Control-Allow-Origin: http://example.com

I tried to change the following configuration by hosting /nginx/nginx.conf:

location ~ ^/api/[1-9]\d*/ {
add_header Access-Control-Allow-Origin "http://example.com";
proxy_pass http://relay;
}

At this point the 'api/4/envelope' response header is:

Access-Control-Allow-Origin: http://example.com;
Access-Control-Allow-Origin: *

How can I modify sentry's nginx configuration to achieve the effect I want?

[bc-sentry]

Assigning to getsentry/sentry for product area triage.

[getsantry[bot]]

Routing to @getsentry/product-owners-apis for triage ⏲️

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-ingestion-and-filtering for triage ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-other for triage ⏲️

[evanpurkhiser]

Moving this back to the self-hosted repo, since this is not a product issue. The SENTRY_ALLOW_ORIGIN will not affect relay as @aldy505 mentioned. There is likely a different configuration to make that happen.

Did you end up finding a solution for this @arrayListTwo

[getsantry[bot]]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀