All calls to /envelope blocked by CSRF

[walkerdb]

versions involved:

• sentry onpremise 20.7.0 (45e45d1), deployed in a k8s cluster. We've configured it to include the performance tab, by turning on organizations:performance-view
• frontend: @sentry/react and @sentry/apm, both at 5.19.1

From the browser, requests to api/[project-id]/store for js errors work fine. However, perf tracing requests to api/[project-id]/envelope fail with a 403. The 403 response has some html about a CSRF token not being set:

From the outside it seems like the request validation path for the two endpoints are different. Is there additional config we need to set on our end for this to work, or is the issue somewhere else? Is the JS lib supposed to have some communication from the backed to get a CSRF token before sending the /envelope requests?

our browser config:

import * as Sentry from '@sentry/react'; 
import { Integrations } from '@sentry/apm'; 

Sentry.init({
  dsn: 'https://[id]@[host]/[project-number]',
  release: 'some-git-hash',
  environment: 'sandbox',
  integrations: [
    new Integrations.Tracing(),
  ],
  tracesSampleRate: 1.0, // for testing, will turn down before going live
});

[walkerdb]

Wondering if the server nginx directive needs an entry for /envelope: https://github.com/getsentry/onpremise/blob/master/nginx/nginx.conf#L60

edit: nvm; should be caught be the location ~ ^/api/[1-9]\d*/ line

[walkerdb]

update: this may be unrelated to onpremise, but instead some k8s ingress config. Feel free to ignore for now; will post back here after we've done some investigation on our end.

[BYK]

I was able to use performance with the current on-premise setup so I think this is related to your k8s setup as you mentioned.

Closing for now but I'll reopen if it turns out there's something we need to fix.

[chhetripradeep]

@walkerdb i am seeing the same issue while trying to upgrade to latest release

03:46:10 [WARNING] django.security.csrf: Forbidden (Referer checking failed - no Referer.): /api/7/store/ (status_code=403 request=<WSGIRequest: POST u'/api/7/store/'>)

Can you share what config change helped you in fixing the issue.

Thank you.

[walkerdb]

@chhetripradeep we're using sentry-kubernetes helm charts for deploying, and we believe we ran into this issue because they don't yet have relay support. There's a PR in the works that we think will fix our issue here: sentry-kubernetes/charts#130

If you're not using those then you may need to manually make sure you have relay running and configured correctly. But generally at least for us it's unrelated to this on-premise repo.

[chhetripradeep]

Hi @walkerdb thank you for your quick response. We have our own internal helm chart which doesnt use relay. Is relay a mandatory component now ? My understanding was that it was an optional component.

[walkerdb]

@chhetripradeep My understanding is that as of sentry v20.7 some details of how sentry manages CSRF changed internally. It works correctly when using relay, but if you're using something like a k8s nginx ingress point you may be able to get it working with the right config tweaking. Not sure what that would need to be.

[chhetripradeep]

Thank you so much @walkerdb for quick responses. I came across this issue #590 and looks like relay is a mandatory thing from 20.7. Thank you again for your help.