#CSRF problem while using the API from a c++ application

1 messages · Page 1 of 1 (latest)

vast mantle
#

I installed sel-hosted sentry and everything seems to be working fine, except from the API. I have overridden the docker-compose.yml file in which I add a reverse proxy. No matter what I do, I always get something along the lines of this:

07:44:50 [ERROR] root: CSRF failure for staff or superuser 07:44:50 [WARNING] django.security.csrf: Forbidden (CSRF token missing.): /api/1/envelope/ (status_code=403 request=<WSGIRequest: POST '/api/1/envelope/?sentry_version=7&sentry_key=7e988afcaab690228dcbf42f04ac6649&sentry_cli

I tried to excempt the API calls from CSRF:

SENTRY_WEB_OPTIONS: { "csrf_exempt_urls": ["/api/1/envelope/", "/api/2/envelope/"], "csrf_trusted_origins": ["http://lkebsentry.nl", "https://lkebsentry.nl"], "secure_proxy_ssl_header": ["HTTP_X_FORWARDED_PROTO", "https"] }

But this also does not work...

Any ideas?

pulsar gyro
#

CSRF_TRUSTED_ORIGINS might override what you have set there

#

Don't forget that after changing any value in any config file to re-run ./install.sh 🙂

vast mantle
#

Ah ok! That is likely the culprit then. Was not aware that I have to do that, thanks!

vast mantle
#

Still the same problem unfortunately 😦

#

I have a nginx in front of sentry, should I proxy_pass to web or relay? Do you have any examples perhaps?

pulsar gyro
#

proxy_pass http://127.0.0.1:9000; is what you want, I thought we used to have some documentation for that.

@eternal lava am I blind or don't we have an example nginx config anymore?

eternal lava
# 
07:44:50 [WARNING] django.security.csrf: Forbidden (CSRF token missing.): /api/1/envelope/ (status_code=403 request=<WSGIRequest: POST '/api/1/envelope/?sentry_version=7&sentry_key=7e988afcaab690228dcbf42f04ac6649&sentry_cli

This is wrong, since the /api/{number}/envelope endpoint only exists on the relay container