search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
38.52k stars 4.12k forks source link

Expose api for public sdk with special key #20249

Closed mhf-ir closed 3 years ago

mhf-ir commented 4 years ago

-->

Summary

Prevent DoS/DDoS for sentry using Cloudflare or any protector mechanism.

Motivation

Why should this be worked on? What problems or use cases does it solve or improve?

Security

Additional Context

We have sentry and use nginx with client certification for non-browser version like Node.JS/PHP and etc. Developers and Application use special client certificate for authorize the nginx and send request to sentry api. But how can i have different URL for browser version that not require Client certificate and put it in different domain that expose just reciver the public sentry client like browser/android and etc..

This is the endpoint for trusted env application that what to send data to sentry, directly to server.

  server {
    listen 443 ssl;
    server_name private.mysentry.tld;

    # letsencrypt certificate
    ssl_certificate /etc/custom-cert/fullchain.pem;
    ssl_certificate_key /etc/custom-cert/privkey.pem;

    ssl_client_certificate /etc/custom-cert/root.crt;
    ssl_verify_client optional;

    location / {
      # in case you need block by client ip
       allow 192.168.1.0/24;
       deny  all;

      if ($ssl_client_verify != SUCCESS) {
        return 403;
      }

       proxy_set_header      X-Sentry-Public-Mode "0";
      proxy_pass          http://sentry-upstream:80;
    }
  }
}

But we have web application that sdk run via Browser and could be also the hackers.

  server {
    listen 443 ssl;
    server_name public.mysentry.tld;

    # letsencrypt certificate
    ssl_certificate /etc/letsencrypt/live/mysentry.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mysentry.tld/privkey.pem;

    location / {
      proxy_set_header      X-Sentry-Public-Mode "1";
      proxy_pass                http://sentry-upstream:80;
    }
  }
}

How could we have this approach when the schema of the frontend and back-end are the same.

Backend/Server sentry api must listen when i tell it's not public. But public protected by cloudflare if or even hacker try to down the sentry Protection from L3,L7 will hunt them down.

BYK commented 3 years ago

I think our new product, Relay can help you with this.

Closing as this is more of a forum question rather than a feature request or a bug report. Please use the forum in the future if you want to talk more on this.