Hi !
I believe the SENTRY_WEB_HOST in sentry.conf.py does not behave exactly like I thought it would.
As I want to have sentry accessible only through my nginx, I chose to bind on 127.1. However, as it runs in a docker container, it makes the web interface not accessible even on localhost.
What I had to do is to bind to 0.0.0.0 and edit the docker-compose.yml:140 to tell docker to only bind the port 9000 to 127.0.0.1, making sentry web accessible only on localhost.
It is a desirable behavior ? Am I missing something ?
Thanks
@fayak, I've transferred your issue to the appropriate repository / issue tracker.
_(fired the previous comment too early by accident)_
It is not clear from the description that there is any bug though. Seems like a usage question.
As per our README, in this case, https://forum.sentry.io/c/on-premise/ would be a more appropriate place to ask.
Closing it for now. Please feel free to comment back / re-open if I've misinterpreted the situation.
Yeah I may have badly explain the issue.
From the doc, it appears that if I want sentry to bind on localhost, I need to modify SENTRY_WEB_HOST to a loopback address. If I do so, because sentry runs in docker, it is not accessible even on localhost (it's accessible on the container's localhost). What I need to modify in order to have sentry to be accessible only on localhost is not SENTRY_WEB_HOST (which must be set to 0.0.0.0), but the docker-compose.yml, to make the sentry_onpremise_web container's port 9000 accessible only on localhost like :
web:
<< : *sentry_defaults
ports:
- '127.0.0.1:9000:9000/tcp'
I am not sure however if you must qualify this as a bug or not, but since it was not mentioned in the doc nor the config file, I thought that you may wanted to know and/or modify either the doc or the use of SENTRY_WEB_HOST.
Sorry if this issue is not appropriate
Thanks for the clarification!
From the doc, it appears that if I want sentry to bind on localhost, I need to modify
SENTRY_WEB_HOSTto a loopback address.
Binding on localhost is the default, and it is overwritten in the on-prem example config to 0.0.0.0.
The doc page you linked to described the env vars available, and is not trying to give any particular advice that depends on user setup.
I didn't find anywhere in the docs a suggestion to modify SENTRY_WEB_HOST to a loopback address. Could you point out what exactly it was that perhaps lead to confusion?
What I need to modify in order to have sentry to be accessible only on localhost is not
SENTRY_WEB_HOST(which must be set to0.0.0.0), but the docker-compose.yml, to make thesentry_onpremise_webcontainer's port 9000 accessible only on localhost
That seems correct. The typical use of https://github.com/getsentry/onpremise is not to run Sentry on localhost though, but to serve traffic to external requests. That's what the docker-compose.yml is targeting.
The provided docker-compose.yml is just one way to run the Sentry components. It seems reasonable to make local changes to it to fit a particular use case.
Yup, the docs here are a bit confusing and outdated. I'll update them to align with the on-premise setup while keeping the old meaning for stand-alone installs.
As of version 20.9.0, I had to change,
nginx:
<< : *restart_policy
ports:
- '$SENTRY_BIND:80/tcp'
into
nginx:
<< : *restart_policy
ports:
- '127.0.0.1:$SENTRY_BIND:80/tcp'
so, I can reverse proxy from an existing nginx while not exposing port 9000 publicly.
As of version 20.9.0, I had to change,
nginx: << : *restart_policy ports: - '$SENTRY_BIND:80/tcp'into
nginx: << : *restart_policy ports: - '127.0.0.1:$SENTRY_BIND:80/tcp'so, I can reverse proxy from an existing nginx while not exposing port 9000 publicly.
Hey @windware-ono! Please could you provide the updates you made to your ngnix.conf to reverse proxy and not expose port 9000 publicly, that worked with the update you made in your above comment?
@KevinLeigh @windware-ono please keep this discussion over at the forum