search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
38.69k stars 4.15k forks source link

Servers with certain ip addresses are getting 403 forbidden #74706

Closed LowArmour closed 2 months ago

LowArmour commented 2 months ago

CLI Version

2.32.2

Operating System and Architecture

Operating System Version

Fedora 38 (the server that gets 208), Almalinux 9 (the server that gets 403 forbidden)

Link to reproduction repository

No response

CLI Command

SENTRY_LOG_LEVEL=debug "/root/xxxxx/node_modules/@sentry/cli-linux-x64/bin/sentry-cli" "releases" "new" "60e801e2c6b94572b927a9048d45d8df" --project=xxxxx

Exact Reproduction Steps

The command that gives the error is: SENTRY_LOG_LEVEL=debug "/root/xxxxx/node_modules/@sentry/cli-linux-x64/bin/sentry-cli" "releases" "new" "60e801e2c6b94572b927a9048d45d8df" --project=xxxxx

This is actually a command from sentry-vite-plugin, which I extracted in order to isolate the error.

On one server, it gets 208 and succeeds, on the other (the production server) it gets 403 forbidden.

The .sentryclirc file is the same.

Expected Results

I expect both commands to work in both environments. This command is part of the build procedure under sentry-vite-plugin and because I get 403 forbidden on my production server, my production server is currently down :(.

Actual Results

error: API request failed caused by: sentry reported an error: unknown error (http status: 403)

Logs

BELOW THE SERVER THAT GIVES 403 FORBIDDEN:

SENTRY_LOG_LEVEL=debug "/root/xxxxxxx/node_modules/@sentry/cli-linux-x64/bin/sentry-cli" "releases" "new" "60e801e2c6b94572b927a9048d45d8df" --project=xxxxx
  INFO    2024-07-21 22:14:16.736636500 +00:00 Loaded config from /root/xxxxxx/.sentryclirc
  DEBUG   2024-07-21 22:14:16.736691023 +00:00 sentry-cli version: 2.32.2, platform: "linux", architecture: "x86_64"
  INFO    2024-07-21 22:14:16.736712633 +00:00 sentry-cli was invoked with the following command line: "/root/xxxxx/node_modules/@sentry/cli-linux-x64/bin/sentry-cli" "releases" "new" "60e801e2c6b94572b927a9048d45d8df" "--project=xxxxxxxx"
  DEBUG   2024-07-21 22:14:16.737393555 +00:00 request POST https://sentry.io/api/0/projects/pilum-tech-srl/xxxxxxx/releases/
  DEBUG   2024-07-21 22:14:16.737439633 +00:00 using token authentication
  DEBUG   2024-07-21 22:14:16.737462134 +00:00 json body: {"version":"60e801e2c6b94572b927a9048d45d8df","projects":["xxxxx"],"dateStarted":"2024-07-21T22:14:16.737353520Z"}
  DEBUG   2024-07-21 22:14:16.737487923 +00:00 retry number 0, max retries: 0
  DEBUG   2024-07-21 22:14:16.803713075 +00:00 > POST /api/0/projects/pilum-tech-srl/xxxxxx/releases/ HTTP/1.1
  DEBUG   2024-07-21 22:14:16.803738673 +00:00 > Host: sentry.io
  DEBUG   2024-07-21 22:14:16.803746819 +00:00 > Accept: */*
  DEBUG   2024-07-21 22:14:16.803763090 +00:00 > Connection: TE
  DEBUG   2024-07-21 22:14:16.803774872 +00:00 > TE: gzip
  DEBUG   2024-07-21 22:14:16.803786774 +00:00 > User-Agent: sentry-cli/2.32.2
  DEBUG   2024-07-21 22:14:16.804372607 +00:00 > Authorization: Bearer sntrys_e***
  DEBUG   2024-07-21 22:14:16.804392464 +00:00 > Content-Type: application/json
  DEBUG   2024-07-21 22:14:16.804399798 +00:00 > Content-Length: 125
  DEBUG   2024-07-21 22:14:16.925386192 +00:00 < HTTP/1.1 403 Forbidden
  DEBUG   2024-07-21 22:14:16.925444323 +00:00 < Content-Type: text/html; charset=UTF-8
  DEBUG   2024-07-21 22:14:16.925467506 +00:00 < Referrer-Policy: no-referrer
  DEBUG   2024-07-21 22:14:16.925483276 +00:00 < Content-Length: 351
  DEBUG   2024-07-21 22:14:16.925500217 +00:00 < strict-transport-security: max-age=31536000; includeSubDomains; preload
  DEBUG   2024-07-21 22:14:16.925515526 +00:00 < Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  DEBUG   2024-07-21 22:14:16.925535283 +00:00 < Connection: close
  DEBUG   2024-07-21 22:14:16.926687303 +00:00 response status: 403
  DEBUG   2024-07-21 22:14:16.926710356 +00:00 body:
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>403 Forbidden</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Forbidden</h1>
<h2>Your client does not have permission to get URL <code>/api/0/projects/pilum-tech-srl/xxxxxxx/releases/</code> from this server.</h2>
<h2></h2>
</body></html>
error: API request failed
  caused by: sentry reported an error: unknown error (http status: 403)
  INFO    2024-07-21 22:14:16.926908560 +00:00 Running update nagger update check
  DEBUG   2024-07-21 22:14:16.926941731 +00:00 request GET https://release-registry.services.sentry.io/apps/sentry-cli/latest
  DEBUG   2024-07-21 22:14:16.926964093 +00:00 retry number 0, max retries: 0
  DEBUG   2024-07-21 22:14:16.944554194 +00:00 > GET /apps/sentry-cli/latest HTTP/1.1
  DEBUG   2024-07-21 22:14:16.944572688 +00:00 > Host: release-registry.services.sentry.io
  DEBUG   2024-07-21 22:14:16.944588859 +00:00 > Accept: */*
  DEBUG   2024-07-21 22:14:16.944605320 +00:00 > Connection: TE
  DEBUG   2024-07-21 22:14:16.944617383 +00:00 > TE: gzip
  DEBUG   2024-07-21 22:14:16.944629535 +00:00 > User-Agent: sentry-cli/2.32.2
  DEBUG   2024-07-21 22:14:17.048020435 +00:00 < HTTP/1.1 403 Forbidden
  DEBUG   2024-07-21 22:14:17.048066712 +00:00 < Content-Type: text/html; charset=UTF-8
  DEBUG   2024-07-21 22:14:17.048087972 +00:00 < Referrer-Policy: no-referrer
  DEBUG   2024-07-21 22:14:17.048108300 +00:00 < Content-Length: 317
  DEBUG   2024-07-21 22:14:17.048123138 +00:00 < Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  DEBUG   2024-07-21 22:14:17.048172692 +00:00 response status: 403
  INFO    2024-07-21 22:14:17.048196957 +00:00 Looking for file named: sentry-cli-Linux-x86_64
  INFO    2024-07-21 22:14:17.048209331 +00:00 Release registry returned 403

BELOW THE SERVER THAT SUCCEEDS WITH STATUS 208

SENTRY_LOG_LEVEL=debug "/root/xxxxxx/node_modules/@sentry/cli-linux-x64/bin/sentry-cli" "releases" "new" "60e801e2c6b94572b927a9048d45d8df" --project=xxxxx
  INFO    2024-07-21 22:13:44.621123885 +00:00 Loaded config from /root/xxxxxx/.sentryclirc
  DEBUG   2024-07-21 22:13:44.621212619 +00:00 sentry-cli version: 2.32.2, platform: "linux", architecture: "x86_64"
  INFO    2024-07-21 22:13:44.621255353 +00:00 sentry-cli was invoked with the following command line: "/root/xxxxx/node_modules/@sentry/cli-linux-x64/bin/sentry-cli" "releases" "new" "60e801e2c6b94572b927a9048d45d8df" "--project=xxxxxx"
  DEBUG   2024-07-21 22:13:44.622289934 +00:00 request POST https://sentry.io/api/0/projects/pilum-tech-srl/xxxxxx/releases/
  DEBUG   2024-07-21 22:13:44.622331586 +00:00 using token authentication
  DEBUG   2024-07-21 22:13:44.622383004 +00:00 json body: {"version":"60e801e2c6b94572b927a9048d45d8df","projects":["xxxxx"],"dateStarted":"2024-07-21T22:13:44.622250294Z"}
  DEBUG   2024-07-21 22:13:44.622412137 +00:00 retry number 0, max retries: 0
  DEBUG   2024-07-21 22:13:44.665231338 +00:00 > POST /api/0/projects/pilum-tech-srl/xxxxxx/releases/ HTTP/1.1
  DEBUG   2024-07-21 22:13:44.665278038 +00:00 > Host: sentry.io
  DEBUG   2024-07-21 22:13:44.665290817 +00:00 > Accept: */*
  DEBUG   2024-07-21 22:13:44.665317477 +00:00 > Connection: TE
  DEBUG   2024-07-21 22:13:44.665333421 +00:00 > TE: gzip
  DEBUG   2024-07-21 22:13:44.665349675 +00:00 > User-Agent: sentry-cli/2.32.2
  DEBUG   2024-07-21 22:13:44.666393751 +00:00 > Authorization: Bearer sntrys_e***
  DEBUG   2024-07-21 22:13:44.666423175 +00:00 > Content-Type: application/json
  DEBUG   2024-07-21 22:13:44.666440541 +00:00 > Content-Length: 125
  DEBUG   2024-07-21 22:13:45.326420247 +00:00 < HTTP/1.1 208 unknown
  DEBUG   2024-07-21 22:13:45.326482791 +00:00 < server: nginx
  DEBUG   2024-07-21 22:13:45.326547859 +00:00 < date: Sun, 21 Jul 2024 22:13:45 GMT
  DEBUG   2024-07-21 22:13:45.326571345 +00:00 < content-type: application/json
  DEBUG   2024-07-21 22:13:45.326592336 +00:00 < allow: GET, POST, HEAD, OPTIONS
  DEBUG   2024-07-21 22:13:45.326618686 +00:00 < access-control-allow-methods: GET, POST, HEAD, OPTIONS
  DEBUG   2024-07-21 22:13:45.326653909 +00:00 < access-control-allow-headers: X-Sentry-Auth, X-Requested-With, Origin, Accept, Content-Type, Authentication, Authorization, Content-Encoding, sentry-trace, baggage, X-CSRFToken
  DEBUG   2024-07-21 22:13:45.326675351 +00:00 < access-control-expose-headers: X-Sentry-Error, X-Sentry-Direct-Hit, X-Hits, X-Max-Hits, Endpoint, Retry-After, Link
  DEBUG   2024-07-21 22:13:45.326688200 +00:00 < access-control-allow-origin: *
  DEBUG   2024-07-21 22:13:45.326710023 +00:00 < x-sentry-rate-limit-remaining: 39
  DEBUG   2024-07-21 22:13:45.326736512 +00:00 < x-sentry-rate-limit-limit: 40
  DEBUG   2024-07-21 22:13:45.326768570 +00:00 < x-sentry-rate-limit-reset: 1721600025
  DEBUG   2024-07-21 22:13:45.326787289 +00:00 < x-sentry-rate-limit-concurrentremaining: 24
  DEBUG   2024-07-21 22:13:45.326807760 +00:00 < x-sentry-rate-limit-concurrentlimit: 25
  DEBUG   2024-07-21 22:13:45.326834300 +00:00 < vary: Accept-Language, Cookie
  DEBUG   2024-07-21 22:13:45.326854279 +00:00 < content-language: en
  DEBUG   2024-07-21 22:13:45.326881950 +00:00 < x-frame-options: deny
  DEBUG   2024-07-21 22:13:45.326904243 +00:00 < x-content-type-options: nosniff
  DEBUG   2024-07-21 22:13:45.326923062 +00:00 < x-xss-protection: 1; mode=block
  DEBUG   2024-07-21 22:13:45.326939286 +00:00 < content-security-policy: frame-ancestors 'self' *.sentry.io; default-src 'none'; base-uri 'none'; img-src * blob: data:; media-src *; connect-src 'self' *.algolia.net *.algolianet.com *.algolia.io sentry.io *.sentry.io s1.sentry-cdn.com o1.ingest.sentry.io api2.amplitude.com app.pendo.io data.pendo.io reload.getsentry.net t687h3m0nh65.statuspage.io sentry.zendesk.com ekr.zdassets.com maps.googleapis.com; worker-src blob:; frame-src app.pendo.io demo.arcade.software js.stripe.com sentry.io; script-src 'self' 'unsafe-inline' 'report-sample' s1.sentry-cdn.com js.sentry-cdn.com browser.sentry-cdn.com statuspage-production.s3.amazonaws.com static.zdassets.com aui-cdn.atlassian.com connect-cdn.atl-paas.net js.stripe.com 'strict-dynamic' cdn.pendo.io data.pendo.io pendo-io-static.storage.googleapis.com pendo-static-5634074999128064.storage.googleapis.com; style-src * 'unsafe-inline'; object-src 'none'; font-src * data:; report-uri https://o1.ingest.sentry.io/api/54785/security/?sentry_key=xxxxxx
  DEBUG   2024-07-21 22:13:45.327007718 +00:00 < x-envoy-attempt-count: 1
  DEBUG   2024-07-21 22:13:45.327020678 +00:00 < x-envoy-upstream-service-time: 540
  DEBUG   2024-07-21 22:13:45.327052476 +00:00 < x-served-by: getsentry-web-rpc-production-5cc885c794-dccth
  DEBUG   2024-07-21 22:13:45.327082641 +00:00 < x-sentry-proxy-url: http://sentry-rpc-de.psc.control.sentry.internal:8999/api/0/projects/pilum-tech-srl/xxxxxxx/releases/
  DEBUG   2024-07-21 22:13:45.327114078 +00:00 < x-served-by: getsentry-control-web-default-common-production-69b5bf749-fpj8n
  DEBUG   2024-07-21 22:13:45.327134258 +00:00 < x-served-by: frontend-default-7db46fd9f5-rf7lc
  DEBUG   2024-07-21 22:13:45.327154268 +00:00 < strict-transport-security: max-age=31536000; includeSubDomains; preload
  DEBUG   2024-07-21 22:13:45.327177814 +00:00 < via: 1.1 google
  DEBUG   2024-07-21 22:13:45.327197894 +00:00 < Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
  DEBUG   2024-07-21 22:13:45.327234930 +00:00 < Transfer-Encoding: chunked
  DEBUG   2024-07-21 22:13:45.327373958 +00:00 response status: 208
  DEBUG   2024-07-21 22:13:45.327402751 +00:00 body: {"id":1312807,"version":"60e801e2c6b94572b927a9048d45d8df","status":"open","shortVersion":"60e801e2c6b94572b927a9048d45d8df","versionInfo":{"package":null,"version":{"raw":"60e801e2c6b94572b927a9048d45d8df"},"description":"60e801e2c6b9","buildHash":"60e801e2c6b94572b927a9048d45d8df"},"ref":null,"url":null,"dateReleased":null,"dateCreated":"2024-07-21T22:12:47.961543Z","data":{},"newGroups":0,"owner":null,"commitCount":0,"lastCommit":null,"deployCount":0,"lastDeploy":null,"authors":[],"projects":[{"id":4507641650610256,"slug":"xxxxx","name":"xxxxxx","newGroups":0,"platform":"javascript-sveltekit","platforms":[],"hasHealthData":false}],"firstEvent":null,"lastEvent":null,"currentProjectMeta":{},"userAgent":"sentry-cli/2.32.2"}
Created release 60e801e2c6b94572b927a9048d45d8df
  INFO    2024-07-21 22:13:45.327686497 +00:00 Skipping update nagger update check
szokeasaurusrex commented 2 months ago

Hi @LowArmour, seems very strange. When did this problem start? Have you ever been able to run this command successfully on the server where you are currently getting the 403?

LowArmour commented 2 months ago

I did further digging, and found out the bug only applies to AlmaLinux 9 OS.

I have spun up, 3 new servers, one Fedora 40 (brand new), one AlmaLinux 9 (brand new), one CentOS Steam 9 (brand new).

Steps to reproduce:

  1. Spin an AlmaLinux 9 server.
  2. dnf update
  3. install nvm: "curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash"
  4. source ~/.bashrc
  5. test nvm runs: "command -v nvm"
  6. dnf install tar
  7. install node lts: "nvm install --lts"
  8. update npm: "npm i -g npm"
  9. mkdir test-node
  10. cd test-node/
  11. initialize package.json: "npm init -y"
  12. install sentry-cli: "npm install @sentry/cli"
  13. echo " [auth] token=sntrys_xxxxxxxx" > .sentryclirc
  14. SENTRY_LOG_LEVEL=debug "/root/test-node/node_modules/@sentry/cli-linux-x64/bin/sentry-cli" "releases" "new" "60e801e2c6b94572b927a9048d45d8df" --project=xxxxxxx

BANG, you get your 403 forbidden error.

As you can conclude from above, the other servers (Fedora and CentOS Steam 9) get a clean status 200 OK.

I wanted to also try Rocky Linux. Let me know if you would like that.

AlmaLinux 9 is important because its one of the popular alternatives to CentOS, being a spiritual successor to the latter.

szokeasaurusrex commented 2 months ago

Hi @LowArmour, thank you for the additional details. Just to confirm, have you ever been able to successfully run this command with AlmaLinux 9, or has this always been broken? Do you get an error when running every Sentry CLI command that performs HTTP requests to Sentry, or are there any that succeed? Another command you could try is sentry-cli info.

This issue looks a bit to me like the Sentry server might be denying the API request for whatever reason. Would you be able to try manually sending a request to Sentry using curl from the AlmaLinux server? If that also fails, then that would indicate a problem in the server, rather than Sentry CLI.

LowArmour commented 2 months ago

I have never been able to run the command successfully on AlmaLinux 9.

As an update, I spun up another CentOS server, but with the same IP as the old AlmaLinux 9 and now I get the same error on CentOS. I only installed nvm and node.

I tried sentry-cli info and it also gives 403 forbidden. On the other test servers it works.

I tried manually sending a request to Sentry via curl. I get the same 403 forbidden.

What I suspect is that there might be some ip-related issue? Some of them work, some might be banned by sentry? I am getting the servers from Hetzner (Nuremberg, Germany and US East datacenters).

LowArmour commented 2 months ago

Update: it definitely seems IP related.

I have just changed the IP's on the servers that got 403 forbidden, until I got 200 OK.

Most probably sentry banned a lot of IP's owned by the Hetzner provider?

What is curious is that I kept just changing IP's and half of them work, half of them are getting 403 forbidden.

I don't think it is sentry-cli related, but can you redirect this issue to the appropriate github issues page?

szokeasaurusrex commented 2 months ago

@LowArmour Thanks for the information. In that case, I am going to transfer this to the getsentry/sentry repo, hopefully someone there can help or redirect to the appropriate place!

getsantry[bot] commented 2 months ago

Assigning to @getsentry/support for routing ⏲️

szokeasaurusrex commented 2 months ago

Hey @LowArmour, I discussed this issue with our security team, and according to them, the most likely explanation for why you are getting 403 errors is that your IP might be being blocked by Google (Sentry is hosted on GCP). They said this unfortunately is somewhat common with Hetzner IP addresses, since they often end up on IP address denylists.

If your IP address is being blocked by Google, there is not really anything we can do to help you here. We would suggest requesting a different IP address from Hetzner or switching to a different hosting provider if the problem persists.

If you would like to share your IP address (the one receiving 403 errors) with us, we can search our server logs to see if we have received any requests from the IP. If your IP shows up in our logs, then we might be able to make some changes to allow your IP; otherwise, if we don't see your IP, that would mean that Google is blocking it before your request reaches our infrastructure. If you are uncomfortable posting your IP publicly, you can email it to me at [redacted].

LowArmour commented 2 months ago

Hey, thank you for your answer. It is insightful and really helpful.

I have changed the IP of my production server until I got a good one, as I could not afford longer downtimes.

Thank you so much for your help!

IanWoodard commented 2 months ago

Glad you got this resolved, closing