It appears that @sentry/node doesn't respect the NO_PROXY or no_proxy environment variables. I'm running on a server that requires a HTTP proxy to get out to the internet, but does not require the proxy to talk to "internal" servers, such as our on-premise Sentry. When I try to log an error from within my app with debug: true set in my Sentry init, Sentry logs:
Sentry Logger [Error]: Error while sending event: Error: self signed certificate in certificate chain
The certificate chain for our on-premise Sentry is valid and does not include any self-signed certificates.
$ openssl s_client -connect sentry.its.sfu.ca:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = CA, ST = British Columbia, L = Burnaby, O = Simon Fraser University, OU = IT Services, CN = *.its.sfu.ca
verify return:1
---
Certificate chain
0 s:/C=CA/ST=British Columbia/L=Burnaby/O=Simon Fraser University/OU=IT Services/CN=*.its.sfu.ca
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
However, our proxy does. I have NO_PROXY set to properly ignore our internal domain, but it doesn't appear that whatever HTTP agent Sentry is using is respecting it. If I unset NO_PROXY and try to curl my Sentry, I get the same error from our proxy, as expected.
$ unset NO_PROXY
$ curl https://sentry.its.sfu.ca
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
Ignoring the cert error isn't an option as our proxy doesn't allow connections to internal hosts through it.
My app is running in Docker, which passes through environment variables from the host including those for proxies. I've resorted to setting these values to blank strings in my docker-compose.yml file in development, but this isn't a proper solution.
grahamb
commented
3 years ago
Package + Version
@sentry/browser@sentry/noderaven-jsraven-node(raven for node)Version:
Description
It appears that
@sentry/nodedoesn't respect theNO_PROXYorno_proxyenvironment variables. I'm running on a server that requires a HTTP proxy to get out to the internet, but does not require the proxy to talk to "internal" servers, such as our on-premise Sentry. When I try to log an error from within my app withdebug: trueset in my Sentry init, Sentry logs:The certificate chain for our on-premise Sentry is valid and does not include any self-signed certificates.
However, our proxy does. I have
NO_PROXYset to properly ignore our internal domain, but it doesn't appear that whatever HTTP agent Sentry is using is respecting it. If Iunset NO_PROXYand try to curl my Sentry, I get the same error from our proxy, as expected.Ignoring the cert error isn't an option as our proxy doesn't allow connections to internal hosts through it.
My app is running in Docker, which passes through environment variables from the host including those for proxies. I've resorted to setting these values to blank strings in my
docker-compose.ymlfile in development, but this isn't a proper solution.I think this can be fixed here: https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/transports/https.ts#L12;
proxyshould be false if there is ano_proxyvariable (ornoProxyoption set) and the DSN is covered by an entry in that variable.