self-hosted icon indicating copy to clipboard operation
self-hosted copied to clipboard

Published 20 hours ago verified publisher icon getsentry

403 Forbidden

Open yudong5740 opened this issue 1 year ago • 45 comments

Environment

self-hosted

Steps to Reproduce

My version is 21.10.0

http://****:9000/api/3/envelope/?sentry_key=ac3e2aa6d71041058386b58ef1fab76b&sentry_version=7&sentry_client=sentry.javascript.vue%2F7.45.0

Expected Result

{id:******}

Actual Result

Return Results :Request URL: http://*****:9000/api/3/envelope/?sentry_key=ac3e2aa6d71041058386b58ef1fab76b&sentry_version=7&sentry_client=sentry.javascript.vue%2F7.45.0 Request Method: POST Status Code: 403 Forbidden Referrer Policy: origin

Return Results: CSRF verification failed The security token does not exist or is invalid If you constantly see this issue, you can try the following steps: Clear cookies (at least cookies under the Sentry domain name).

Reload the page you are attempting to submit (do not resubmit data).

Reenter the information and resubmit the form.

Read more about CSRF on Wikipedia.

Product Area

Unknown

Link

No response

DSN

No response

Version

No response

yudong5740 avatar Apr 26 '23 02:04 yudong5740

Assigning to @getsentry/support for routing, due by (sfo). ⏲️

getsantry[bot] avatar Apr 26 '23 02:04 getsantry[bot]

Routing to @getsentry/issue-experience for triage, due by (sfo). ⏲️

getsantry[bot] avatar Apr 26 '23 19:04 getsantry[bot]

Routing to @getsentry/open-source for triage, due by (sea). ⏲️

getsantry[bot] avatar Apr 26 '23 20:04 getsantry[bot]

@yudong5740 Are you using the docker compose version of self-hosted Sentry?

hubertdeng123 avatar Apr 27 '23 16:04 hubertdeng123

How was it solved? I had the same problem

rowan-wang avatar May 10 '23 12:05 rowan-wang

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

github-actions[bot] avatar Jun 01 '23 00:06 github-actions[bot]

I have the same problem, how to fix it?

HenryXuTao avatar Jun 05 '23 01:06 HenryXuTao

Interesting that multiple people are hitting this. We're gonna need a lot more info to help you all debug. As @hubertdeng123 asked, are you using the stock Docker Compose version of self-hosted or something derivative? What's your network topology?

chadwhitacre avatar Jun 05 '23 13:06 chadwhitacre

Same issue here. Also using the Docker compose version of self-hosted. It was working before I switched to https.

LeanderD avatar Jun 09 '23 12:06 LeanderD

It's difficult to tell what might be going wrong without additional info. Are there any logs that are useful?

hubertdeng123 avatar Jun 27 '23 16:06 hubertdeng123

We got an similar problem.

We got it on the url: /api/0/internal/options/ response is 403 forbidden

Tried to change ratelimit from 1000 to 2000, but it cant be saved.

Version: Sentry 23.7.0.dev 02f14632

Nginx 9000 proxied to https

Which logs would be useful for you?

djoeycl avatar Jul 06 '23 08:07 djoeycl

I suspect this may be a proxying issue since it seems that multiple people are only hitting this when using https. Is there any logs in your nginx or web containers that you can share?

hubertdeng123 avatar Jul 06 '23 23:07 hubertdeng123

I tried with an VPN that is running on this server, so i can access it on port 9000. Still /api/0/internal/options/ returns an 403 forbidden without any info.

How can i enable the logs for nginx on the docker image?

djoeycl avatar Jul 07 '23 07:07 djoeycl

Sorry for my late reply.

The error I'm seeing in the logs is: 2023-07-08T05:28:45.630030Z ERROR relay_server::actors::upstream: authentication encountered error error=could not send request to upstream error.sources=[error sending request for url (http://web:9000/api/0/relays/register/challenge/): error trying to connect: tcp connect error: Connection refused (os error 111), error trying to connect: tcp connect error: Connection refused (os error 111), tcp connect error: Connection refused (os error 111), Connection refused (os error 111)]

I did change all the settings to switch to https, but somehow it's still using http internally.

LeanderD avatar Jul 10 '23 13:07 LeanderD

How can i enable the logs for nginx on the docker image?

You can just use docker compose logs web to find the logs

I did change all the settings to switch to https, but somehow it's still using http internally.

Did you try to set a system.url-prefix?

hubertdeng123 avatar Jul 10 '23 18:07 hubertdeng123

How can i enable the logs for nginx on the docker image?

You can just use docker compose logs web to find the logs

I did change all the settings to switch to https, but somehow it's still using http internally.

Did you try to set a system.url-prefix?

Here are some logs when trying to update the rate limit

sentry-self-hosted-web-1 | 08:04:40 [INFO] sentry.access.api: api.access (method='GET' view='sentry.api.endpoints.internal.stats.InternalStatsEndpoint' response=200 user_id='1' is_app='None' token_type='None' is_frontend_request='True' organization_id='None' auth_id='None' path='/api/0/internal/stats/' caller_ip='xxxxxx' user_agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0' rate_limited='False' rate_limit_category='None' request_duration_seconds=1.1136538982391357 rate_limit_type='DNE' concurrent_limit='None' concurrent_requests='None' reset_time='None' group='None' limit='None' remaining='None') sentry-self-hosted-web-1 | 08:04:41 [INFO] sentry.superuser: superuser.request (url='http://localhost/api/0/internal/options/' method='GET' ip_address='xxxxxxx' user_id=1) sentry-self-hosted-web-1 | 08:04:41 [INFO] sentry.access.api: api.access (method='GET' view='sentry.api.endpoints.system_options.SystemOptionsEndpoint' response=200 user_id='1' is_app='None' token_type='None' is_frontend_request='True' organization_id='None' auth_id='None' path='/api/0/internal/options/' caller_ip='xxxxx' user_agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0' rate_limited='False' rate_limit_category='None' request_duration_seconds=0.07998847961425781 rate_limit_type='DNE' concurrent_limit='None' concurrent_requests='None' reset_time='None' group='None' limit='None' remaining='None') sentry-self-hosted-web-1 | 08:04:45 [INFO] sentry.superuser: superuser.request (url='http://localhost/api/0/internal/options/' method='PUT' ip_address='xxxxxx' user_id=1) sentry-self-hosted-web-1 | 08:04:45 [INFO] sentry.access.api: api.access (method='PUT' view='sentry.api.endpoints.system_options.SystemOptionsEndpoint' response=403 user_id='1' is_app='None' token_type='None' is_frontend_request='True' organization_id='None' auth_id='None' path='/api/0/internal/options/' caller_ip='xxxxxx' user_agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0' rate_limited='False' rate_limit_category='None' request_duration_seconds=0.730161190032959 rate_limit_type='DNE' concurrent_limit='None' concurrent_requests='None' reset_time='None' group='None' limit='None' remaining='None') sentry-self-hosted-web-1 | 08:04:45 [WARNING] django.request: Forbidden: /api/0/internal/options/ (status_code=403 request=<WSGIRequest: PUT '/api/0/internal/options/'>)

djoeycl avatar Jul 12 '23 08:07 djoeycl

I am also facing same issue but still didn't get any solution I installed sentry on Ubuntu not in docker directly on ec2

devops-tavus avatar Jul 12 '23 11:07 devops-tavus

Did you try to set a system.url-prefix?

I think that's what I did, but I'm not sure.

I did manage to get everything working on https now. No idea what I did differently this time, but somehow it just worked and now everything is running on https like it should. No issues at all.

I did remove "everything" and started over from scratch. I thought I deleted everything using the nuclear option from the docs (https://develop.sentry.dev/self-hosted/troubleshooting/#nuclear-option), but after cloning the repo and installing Sentry the data from previous installs was still there. This time Sentry is running on https though.

I wish I could tell you what I did wrong the previous times, but unfortunately I have no idea. It's possible I tried setting the system.url-prefix. I'm sure I tried that at some point, but I'm also sure I didn't do that this time.

I just uncommented the lines for SSL/TLS in sentry.conf.py, changed my nginx config and that's about it.

LeanderD avatar Jul 21 '23 15:07 LeanderD

I just uncommented the lines for SSL/TLS in sentry.conf.py, changed my nginx config and that's about it.

Well, thanks for the data point here. Glad to hear you got it working somehow

hubertdeng123 avatar Aug 01 '23 06:08 hubertdeng123

Environment

self-hosted

Steps to Reproduce

My version is 21.10.0

http://****:9000/api/3/envelope/?sentry_key=ac3e2aa6d71041058386b58ef1fab76b&sentry_version=7&sentry_client=sentry.javascript.vue%2F7.45.0

Expected Result

{id:******}

Actual Result

Return Results :Request URL: http://*****:9000/api/3/envelope/?sentry_key=ac3e2aa6d71041058386b58ef1fab76b&sentry_version=7&sentry_client=sentry.javascript.vue%2F7.45.0 Request Method: POST Status Code: 403 Forbidden Referrer Policy: origin

Return Results: CSRF verification failed The security token does not exist or is invalid If you constantly see this issue, you can try the following steps: Clear cookies (at least cookies under the Sentry domain name).

Reload the page you are attempting to submit (do not resubmit data).

Reenter the information and resubmit the form.

Read more about CSRF on Wikipedia.

Product Area

Unknown

Link

No response

DSN

No response

Version

No response

If you are serving it from http:// schema then comment the SSL/TLS config mentioned below in sentry.conf.py

###########
# SSL/TLS #
###########
# If you're using a reverse SSL proxy, you should enable the X-Forwarded-Proto
# header and enable the settings below
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SOCIAL_AUTH_REDIRECT_IS_HTTPS = True
# End of SSL/TLS settings

Save the file and restart docker: systemctl restart docker

kaustavb79 avatar Nov 24 '23 10:11 kaustavb79

In my case, the logs indicated this is a cookie issue:

 | 11:24:27 [WARNING] django.security.csrf: Forbidden (CSRF cookie not set.): /api/2/envelope (status_code=403 request=<WSGIRequest: POST '/api/2/envelope?

So this may give deeper insights to what is going wrong: https://forum.djangoproject.com/t/getting-forbidden-csrf-cookie-not-set-while-trying-to-login-to-django-admin-page/20645/11

csvan avatar Dec 14 '23 11:12 csvan

same issue.

sentry-self-hosted-web-1 | 03:20:35 [WARNING] django.request: Forbidden: /api/0/internal/options/ (status_code=403 request=<WSGIRequest: PUT '/api/0/internal/options/'>)

WilenChen avatar Jan 17 '24 03:01 WilenChen

@WilenChen That is an entirely different issue. That endpoint is internal and is used by admins. You are likely trying to access a page that only superusers can access.

hubertdeng123 avatar Jan 18 '24 23:01 hubertdeng123

Did you try to set a system.url-prefix?

I think that's what I did, but I'm not sure.

I did manage to get everything working on https now. No idea what I did differently this time, but somehow it just worked and now everything is running on https like it should. No issues at all.

I did remove "everything" and started over from scratch. I thought I deleted everything using the nuclear option from the docs (https://develop.sentry.dev/self-hosted/troubleshooting/#nuclear-option), but after cloning the repo and installing Sentry the data from previous installs was still there. This time Sentry is running on https though.

I wish I could tell you what I did wrong the previous times, but unfortunately I have no idea. It's possible I tried setting the system.url-prefix. I'm sure I tried that at some point, but I'm also sure I didn't do that this time.

I just uncommented the lines for SSL/TLS in sentry.conf.py, changed my nginx config and that's about it.

Hi we're experiencing a similar issue with self-hosted sentry versions 24.1.0 and 24.1.1 deployed via the install script and docker-compose: [WARNING] django.security.csrf: Forbidden (CSRF token missing.): /api/1/envelope/ (status_code=403 request=<WSGIRequest: POST '/api/1/envelope/?sentry_key=<REDACTED>&sentry_version=7&sentry_client=sentry.javascript.react%2F7.98.0'>)

how did you change your nginx.conf? This info would be much appreciated.

Erokos avatar Feb 07 '24 09:02 Erokos

Does adding this (uncommented, and with your domain names) to your sentry.conf.py help? You'll need to restart the server.

azaslavsky avatar Feb 08 '24 22:02 azaslavsky

Thanks, in the end it was due to something else and we managed to solve the issue. Nevertheless this is good to know and thank you for the info.

Erokos avatar Feb 11 '24 07:02 Erokos

I've been struggling with this for two hours. The CSRF_TRUSTED_ORIGINS array MUST INCLUDE the schema!

CSRF_TRUSTED_ORIGINS = ["example.com", "127.0.0.1:9000"]

should be

CSRF_TRUSTED_ORIGINS = ["https://www.example.com", "http://127.0.0.1:9000"]

axelgenus avatar Feb 19 '24 11:02 axelgenus

Thanks for pushing through and posting back @axelgenus. 🙌

@Sweet-KK @theremoon-j Does the above help with your comments at https://github.com/getsentry/self-hosted/issues/2751#issuecomment-1952183896?

chadwhitacre avatar Feb 22 '24 18:02 chadwhitacre

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

getsantry[bot] avatar Mar 15 '24 07:03 getsantry[bot]

If you're willing to accept the security risks, either because you have other infrastructure in front of sentry or because you just don't care, I found this to be the easiest way forward. In sentry's settings.py:

CSRF_TRUSTED_ORIGINS = [
    "http://*",
    "https://*",
]

caseyduquettesc avatar Mar 22 '24 20:03 caseyduquettesc