getsentry
Google sso auth login report 400 bad request under a proxy
Self-Hosted Version
25.10.0
CPU Architecture
x86_64
Docker Version
Docker version 28.5.1, build e180ab8
Docker Compose Version
Docker Compose version v2.40.3
Machine Specification
- [x] My system meets the minimum system requirements of Sentry
Steps to Reproduce
- my self-hosted sentry under a proxy which hijack any DNS requests to proxy server 10.11.11.11
- when use google sso login
docker logs -f --tail 20 sentry-self-hosted-web-1shows
File "/.venv/lib/python3.13/site-packages/urllib3/connectionpool.py", line 466, in _make_request
self._validate_conn(conn)
~~~~~~~~~~~~~~~~~~~^^^^^^
File "/.venv/lib/python3.13/site-packages/urllib3/connectionpool.py", line 1095, in _validate_conn
conn.connect()
~~~~~~~~~~~~^^
File "/.venv/lib/python3.13/site-packages/urllib3/connection.py", line 615, in connect
self.sock = sock = self._new_conn()
~~~~~~~~~~~~~~^^
File "/usr/src/sentry/src/sentry/net/http.py", line 81, in _new_conn
conn = safe_create_connection(
(self._dns_host, self.port),
...<2 lines>...
**extra_kw,
)
File "/usr/src/sentry/src/sentry/net/socket.py", line 151, in safe_create_connection
raise RestrictedIPAddress(f"({host}/{ip}) matches the URL blocklist")
sentry.exceptions.RestrictedIPAddress: (www.googleapis.com/10.11.11.11) matches the URL blocklist
08:47:11 [ERROR] django.security.RestrictedIPAddress: (www.googleapis.com/10.11.11.11) matches the URL blocklist (status_code=400 request=<WSGIRequest: GET '/auth/sso/?state=xxxxxx&code=4%xxxxxxx-pDTtHw&scope=email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&hd=cobo.com&prompt=consent'>)
Expected Result
google sso login ok
Actual Result
400 bad request
Event ID
No response
Now I add followed config to pass through the issue, because https://github.com/getsentry/sentry/blob/master/src/sentry/conf/server.py add all the internal ips
self-hosted# tail -n 1 sentry/sentry.conf.py
SENTRY_DISALLOWED_IPS = ()
I am not sure whether it's the best practice or any other config can be used to solve this issue
@max-wittig question, is it solvable with specifying correct SENTRY_DISALLOWED_IPS value, or any other change is required?
@aldy505 Yes it's solved by just specifying an empty SENTRY_DISALLOWED_IPS and that's it.
@aldy505 Yes it's solved by just specifying an empty
SENTRY_DISALLOWED_IPSand that's it.
@max-wittig Ah, okay. Sorry for the inconvenience.
@max-wittig Hey, I have a favor to ask. Someone on Discord said this:
Hi! I am having trouble accessing the admin panel in Sentry. I use OIDC SSO (https://github.com/siemens/sentry-auth-oidc) to log in. The account is a superuser and has a password.
I can't find a button anywhere in the Web UI to go to the admin panel. When I go directly to https://sentry.example.com/manage/, I am asked for a password, which I successfully enter, but nothing happens (the browser's network requests show that the request to /api/0/auth/ is successful)
I wonder if this is also happening to you?
@aldy505 This is a known issue also for us since the beginning of the plugin. We don't really know why this happens, but if you click on sign-out and sign back it, it should show up.
This issue has gone three weeks without activity. In another week, I will close it.
But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!
"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀
![getsantry[bot] avatar](https://avatars.githubusercontent.com/in/66573?v=4 "Published by a pub.dev verified publisher"){kind=small}