It appears that @sentry/node doesn't respect the NO_PROXY or no_proxy environment variables. I'm running on a server that requires a HTTP proxy to get out to the internet, but does not require the proxy to talk to "internal" servers, such as our on-premise Sentry. When I try to log an error from within my app with debug: true set in my Sentry init, Sentry logs:
Sentry Logger [Error]: Error while sending event: Error: self signed certificate in certificate chain
The certificate chain for our on-premise Sentry is valid and does not include any self-signed certificates.
$ openssl s_client -connect sentry.its.sfu.ca:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = CA, ST = British Columbia, L = Burnaby, O = Simon Fraser University, OU = IT Services, CN = *.its.sfu.ca
verify return:1
---
Certificate chain
0 s:/C=CA/ST=British Columbia/L=Burnaby/O=Simon Fraser University/OU=IT Services/CN=*.its.sfu.ca
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
However, our proxy does. I have NO_PROXY set to properly ignore our internal domain, but it doesn't appear that whatever HTTP agent Sentry is using is respecting it. If I unset NO_PROXY and try to curl my Sentry, I get the same error from our proxy, as expected.
$ unset NO_PROXY
$ curl https://sentry.its.sfu.ca
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
Ignoring the cert error isn't an option as our proxy doesn't allow connections to internal hosts through it.
My app is running in Docker, which passes through environment variables from the host including those for proxies. I've resorted to setting these values to blank strings in my docker-compose.yml file in development, but this isn't a proper solution.
Package + Version
@sentry/browser
@sentry/node
raven-js
raven-node
(raven for node)Version:
Description
It appears that
@sentry/node
doesn't respect theNO_PROXY
orno_proxy
environment variables. I'm running on a server that requires a HTTP proxy to get out to the internet, but does not require the proxy to talk to "internal" servers, such as our on-premise Sentry. When I try to log an error from within my app withdebug: true
set in my Sentry init, Sentry logs:The certificate chain for our on-premise Sentry is valid and does not include any self-signed certificates.
However, our proxy does. I have
NO_PROXY
set to properly ignore our internal domain, but it doesn't appear that whatever HTTP agent Sentry is using is respecting it. If Iunset NO_PROXY
and try to curl my Sentry, I get the same error from our proxy, as expected.Ignoring the cert error isn't an option as our proxy doesn't allow connections to internal hosts through it.
My app is running in Docker, which passes through environment variables from the host including those for proxies. I've resorted to setting these values to blank strings in my
docker-compose.yml
file in development, but this isn't a proper solution.I think this can be fixed here: https://github.com/getsentry/sentry-javascript/blob/master/packages/node/src/transports/https.ts#L12;
proxy
should be false if there is ano_proxy
variable (ornoProxy
option set) and the DSN is covered by an entry in that variable.