Sentry-python: Flask integration wrong User IP behind proxy

Created on 10 Apr 2019  路  12Comments  路  Source: getsentry/sentry-python

When sentry report bugs I get wrong users IP.

I'm using UWSGI and NGINX stack. I forward X-REAL-IP from NGINX to UWSGI. Also flask.request.remote_addr shows correct user IP address but sentry-sdk version 0.7.10 shows my server IP address as user IP.

Would you please assist?

bug

All 12 comments

Hello, your problem should be solved if you set X-Forwarded-For to the same value as well, but this is a bug in the SDK. We should trust the value given by Flask.

May I ask how you read X-Real-IP into Flask? I assume you use a WSGI middleware for this?

    sentry_sdk.init(dsn=config.SENTRY_DSN_URL, integrations=[FlaskIntegration(),
                                                             CeleryIntegration(),
                                                             sentry_logging])
    app.wsgi_app = SentryWsgiMiddleware(app.wsgi_app)

May I use like this ?

@NullYing this seems fine, but I don't understand how it's related to this issue.

https://github.com/getsentry/sentry-python/blob/263a0bd92bdf85c6b23c889c8cd5a28adfd81ea2/sentry_sdk/integrations/wsgi.py#L129

    try:
        return environ["HTTP_X_FORWARDED_FOR"].split(",")[0].strip()
    except (KeyError, IndexError):
        return environ.get("REMOTE_ADDR")

I found get_client_ip in wsgi.py
but not flask

@NullYing See here: https://github.com/getsentry/sentry-python/blob/263a0bd92bdf85c6b23c889c8cd5a28adfd81ea2/sentry_sdk/integrations/flask.py#L65

So the integration already does app.wsgi_app = ..., but the middlewares run in the wrong order (ProxyMiddleware runs after SentryMiddleware, so Sentry sees the wrong IP)

I will fix this bug shortly, @NullYing just gave me an idea on how to solve this elegantly

We are using the latest sentry-python version but still having this issue.
We are using Flask==1.0.3 with the FlaskIntegration and verified that the headers are being correctly received by our endpoints via request.headers.get('X-Forwarded-For') and request.environ.get('HTTP_X_FORWARDED_FOR').

Any chance something else is filtering the information internally? In the sentry error report (see below) the X-Forwarded-For and the X-Real-Ip are shown empty (I assume because of pii, but we checked that the endpoints do get the correct information via logging)

image

I've an issue like @jbarreneche
No solution right?

please refer to https://docs.sentry.io/platforms/python/data-management/sensitive-data/

You may have some options in Security & Privacy in your project or organization settings that strip out IP addresses

likewise you may not have send_default_pii=True set

please check both places because we're not sending IP addresses by default for security/compliance reasons. you need to opt into sending IP addresses

@untitaker thx for fast reply
but

please refer to https://docs.sentry.io/data-management/sensitive-data/
refers to 404

I've updated the link, thanks

Was this page helpful?
0 / 5 - 0 ratings