CSRF Verification Failed when using sentry docker images (v8.5) and a https reverse proxy.

2,296 views
Skip to first unread message

Martin René Mortensen

unread,
Jun 8, 2016, 6:55:53 AM6/8/16
to sentry
It keeps giving me that error when I log in as the created superuser: admin. The cookie csrf looks ok, the parameter csrfmiddlewaretoken looks the same, still it fails.

What will fix this?


Im running the my_sentry docker container with following parameters:

docker run -d --name my-sentry -e SENTRY_USE_SSL=1 -e SENTRY_SECRET_KEY='verysecretkey' --link sentry-redis:redis --link sentry-postgres:postgres sentry

and my apache configuration looks like this:

<VirtualHost *:443>
  ServerAdmin x...@y.com
  ServerName sentry.example.com
 
  ErrorLog logs/sentry_error_log
  TransferLog logs/sentry_access_log
  #LogLevel debug
  LogLevel warn

RequestHeader set X-Forwarded-Proto "https"

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
# Prefer PFS, allow TLS, avoid SSL, for IE8 on XP still allow 3DES
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
# Prevent CRIME/BREACH compression attacks
#SSLCompression Off # Only on apache 2.2.24+
# Commit to HTTPS only traffic for at least 180 days
Header add Strict-Transport-Security "max-age=15552000"

BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
  include conf.d/tls-cert.incl

  <Location />
 
    ProxyPass        http://172.17.0.5:9000/
    ProxyPassReverse http://172.17.0.5:9000/
    ProxyPassReverse https://172.17.0.5:9000/

  </Location>

</Virtualhost>

/Martin

ma...@getsentry.com

unread,
Jun 8, 2016, 1:51:13 PM6/8/16
to sentry
Hey Martin, I'm not entirely sure what the issue is, but the only thing I can think of would be a mismatch in urls somewhere. I'm also not well versed in Apache to think if anything stands out there.

Can you check that your `$ sentry config get system.url-prefix` value matches what the proxy url would be?

Martin René Mortensen

unread,
Jun 8, 2016, 5:08:36 PM6/8/16
to sentry
# docker exec -it my-sentry bash
root@0f25406f357f:/# sentry config get system.url-prefix
        type: STRING
 from config: <not set>
     current:

so.. its not set at all. I havent read the csrf code, but how does the url come into play? theres a hidden url parameter and a cookie... they match, what else is there? a session that has the same data Im guessing.

/Martin

Martin René Mortensen

unread,
Jun 10, 2016, 2:57:52 AM6/10/16
to sentry
Well, I think I missed the ProxyPreserveHost On in your configuration guide. It works much better now.

ben.t...@roundingwell.com

unread,
May 1, 2017, 5:56:41 PM5/1/17
to sentry
I'm posting this more for a separate issue with similar symptoms that kept leading me back to this post via Google.

My problem was actually related to an NGINX https proxy. My problem was that I forgot that NGINX needs the intermediate CA appended to the end of your server's root SSL certificate. 
The symptoms were that all of my error logs were failing when SSL_VERIFY was enabled. The web app worked fine because most modern browsers have their own list of intermediate CA's. 

To resolve, I simply used cat to append my intermediate CA (DigiCertCA.crt) to the end of my wildcard ssl certificate. 

ref: https://www.digicert.com/ssl-certificate-installation-nginx.htm
Reply all
Reply to author
Forward
0 new messages