CSRF Verification Failed when using sentry docker images (v8.5) and a https reverse proxy.
2,570 views
Skip to first unread message
Martin René Mortensen
Jun 8, 2016, 6:55:53 AM6/8/16
to sentry
It keeps giving me that error when I log in as the created superuser: admin. The cookie csrf looks ok, the parameter csrfmiddlewaretoken looks the same, still it fails.
What will fix this?
Im running the my_sentry docker container with following parameters:
docker run -d --name my-sentry -e SENTRY_USE_SSL=1 -e SENTRY_SECRET_KEY='verysecretkey' --link sentry-redis:redis --link sentry-postgres:postgres sentry
and my apache configuration looks like this:
<VirtualHost *:443>
ServerAdmin x...@y.com
ServerName sentry.example.com
ErrorLog logs/sentry_error_log
TransferLog logs/sentry_access_log
#LogLevel debug
LogLevel warn
RequestHeader set X-Forwarded-Proto "https"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
# Prefer PFS, allow TLS, avoid SSL, for IE8 on XP still allow 3DES
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
# Prevent CRIME/BREACH compression attacks
#SSLCompression Off # Only on apache 2.2.24+
# Commit to HTTPS only traffic for at least 180 days
Header add Strict-Transport-Security "max-age=15552000"
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
include conf.d/tls-cert.incl
<Location />
ProxyPass http://172.17.0.5:9000/
ProxyPassReverse http://172.17.0.5:9000/
ProxyPassReverse https://172.17.0.5:9000/
</Location>
</Virtualhost>
/Martin
What will fix this?
Im running the my_sentry docker container with following parameters:
docker run -d --name my-sentry -e SENTRY_USE_SSL=1 -e SENTRY_SECRET_KEY='verysecretkey' --link sentry-redis:redis --link sentry-postgres:postgres sentry
and my apache configuration looks like this:
<VirtualHost *:443>
ServerAdmin x...@y.com
ServerName sentry.example.com
ErrorLog logs/sentry_error_log
TransferLog logs/sentry_access_log
#LogLevel debug
LogLevel warn
RequestHeader set X-Forwarded-Proto "https"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
# Prefer PFS, allow TLS, avoid SSL, for IE8 on XP still allow 3DES
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
# Prevent CRIME/BREACH compression attacks
#SSLCompression Off # Only on apache 2.2.24+
# Commit to HTTPS only traffic for at least 180 days
Header add Strict-Transport-Security "max-age=15552000"
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
include conf.d/tls-cert.incl
<Location />
ProxyPass http://172.17.0.5:9000/
ProxyPassReverse http://172.17.0.5:9000/
ProxyPassReverse https://172.17.0.5:9000/
</Location>
</Virtualhost>
/Martin
ma...@getsentry.com
Jun 8, 2016, 1:51:13 PM6/8/16
to sentry
Hey Martin, I'm not entirely sure what the issue is, but the only thing I can think of would be a mismatch in urls somewhere. I'm also not well versed in Apache to think if anything stands out there.
Can you check that your `$ sentry config get system.url-prefix` value matches what the proxy url would be?
Martin René Mortensen
Jun 8, 2016, 5:08:36 PM6/8/16
to sentry
# docker exec -it my-sentry bash
root@0f25406f357f:/# sentry config get system.url-prefix
type: STRING
from config: <not set>
current:
so.. its not set at all. I havent read the csrf code, but how does the url come into play? theres a hidden url parameter and a cookie... they match, what else is there? a session that has the same data Im guessing.
/Martin
root@0f25406f357f:/# sentry config get system.url-prefix
type: STRING
from config: <not set>
current:
so.. its not set at all. I havent read the csrf code, but how does the url come into play? theres a hidden url parameter and a cookie... they match, what else is there? a session that has the same data Im guessing.
/Martin
Martin René Mortensen
Jun 10, 2016, 2:57:52 AM6/10/16
to sentry
Well, I think I missed the ProxyPreserveHost On in your configuration guide. It works much better now.
ben.t...@roundingwell.com
May 1, 2017, 5:56:41 PM5/1/17
to sentry
I'm posting this more for a separate issue with similar symptoms that kept leading me back to this post via Google.
My problem was actually related to an NGINX https proxy. My problem was that I forgot that NGINX needs the intermediate CA appended to the end of your server's root SSL certificate.
The symptoms were that all of my error logs were failing when SSL_VERIFY was enabled. The web app worked fine because most modern browsers have their own list of intermediate CA's.
To resolve, I simply used cat to append my intermediate CA (DigiCertCA.crt) to the end of my wildcard ssl certificate.
ref: https://www.digicert.com/ssl-certificate-installation-nginx.htm
My problem was actually related to an NGINX https proxy. My problem was that I forgot that NGINX needs the intermediate CA appended to the end of your server's root SSL certificate.
The symptoms were that all of my error logs were failing when SSL_VERIFY was enabled. The web app worked fine because most modern browsers have their own list of intermediate CA's.
To resolve, I simply used cat to append my intermediate CA (DigiCertCA.crt) to the end of my wildcard ssl certificate.
ref: https://www.digicert.com/ssl-certificate-installation-nginx.htm
Reply all
Reply to author
Forward
0 new messages