The URL for sending CSP reports doesn't work

[niekberenschot]

When trying the DSN url it will result in a 404 error:
Line from nginx log:
"POST /api/8/security/?sentry_key= HTTP/1.0" 404 22 "-"

All the other urls for example 'csp' instead of 'security' will result in a 403.
Line from web log:
[WARNING] django.security.csrf: Forbidden (CSRF cookie not set.): /api/8/csp/ (status_code=403 request=<WSGIRequest: POST u'/api/8/csp/?sentry_key='>)

I don't know why the CSP end-point isn't found.
For the other url's i think the expected status code should be a 404.

[BYK]

You need to use Relay for these end points now. See #598 and #590.

[niekberenschot]

I'm using the relay. I just used the install.sh file and enabled SSL.

I get the following errors in the relay log:

2020-08-10T08:29:32Z [rdkafka::client] ERROR: librdkafka: Global error: BrokerTransportFailure (Local: Broker transport failure): kafka:9092/bootstrap: Connect to ipv4#172.18.0.10:9092 failed: Connection refused (after 25ms in state CONNECT)
2020-08-10T08:29:33Z [rdkafka::client] ERROR: librdkafka: Global error: AllBrokersDown (Local: All broker connections are down): 1/1 brokers are down
2020-08-10T08:29:33Z [rdkafka::client] ERROR: librdkafka: Global error: BrokerTransportFailure (Local: Broker transport failure): kafka:9092/bootstrap: Connect to ipv4#172.18.0.10:9092 failed: Connection refused (after 0ms in state CONNECT)
2020-08-10T08:29:33Z [rdkafka::client] ERROR: librdkafka: Global error: AllBrokersDown (Local: All broker connections are down): 1/1 brokers are down
2020-08-10T08:29:33Z [relay_server::actors::upstream] ERROR: authentication encountered error: could not send request to upstream
  caused by: Failed to connect to host: Failed resolving hostname: no record found for name: web.google.internal. type: AAAA class: IN
  caused by: Failed resolving hostname: no record found for name: web.google.internal. type: AAAA class: IN
  caused by: Failed resolving hostname: no record found for name: web.google.internal. type: AAAA class: IN
2020-08-10T08:29:33Z [relay_server::actors::upstream] ERROR: authentication encountered error: could not send request to upstream
  caused by: Failed to connect to host: Failed resolving hostname: no record found for name: web.google.internal. type: AAAA class: IN
  caused by: Failed resolving hostname: no record found for name: web.google.internal. type: AAAA class: IN
  caused by: Failed resolving hostname: no record found for name: web.google.internal. type: AAAA class: IN
2020-08-10T08:29:34Z [relay_server::actors::upstream] ERROR: authentication encountered error: could not send request to upstream
  caused by: Failed to connect to host: Failed resolving hostname: no record found for name: web.google.internal. type: AAAA class: IN
  caused by: Failed resolving hostname: no record found for name: web.google.internal. type: AAAA class: IN
  caused by: Failed resolving hostname: no record found for name: web.google.internal. type: AAAA class: IN
2020-08-10T08:29:38Z [relay_server::actors::upstream] ERROR: authentication encountered error: could not send request to upstream
  caused by: Timeout while waiting for response
2020-08-10T08:29:41Z [relay_server::actors::upstream] ERROR: authentication encountered error: could not send request to upstream
  caused by: Failed to connect to host: Connection refused (os error 111)
  caused by: Connection refused (os error 111)
  caused by: Connection refused (os error 111)
2020-08-10T08:29:44Z [relay_server::actors::upstream] ERROR: authentication encountered error: could not send request to upstream
  caused by: Failed to connect to host: Connection refused (os error 111)
  caused by: Connection refused (os error 111)
  caused by: Connection refused (os error 111)

[niekberenschot]

Additionally the minidump url works...

[BYK]

I'm using the relay. I just used the install.sh file and enabled SSL.

The logs you shared suggest otherwise. The 404 and 403 errors and the UWSGIHandler suggest that those requests are going to sentry-web instead of relay. I'd check your Nginx config to make sure you have the correct routing (if you are using our repo without modification, this is done already).

Your relay logs suggest your relay instance cannot reach sentry-web or kafka. The kafka issue seems like a network routing issue but the sentry-web one seems like a DNS issue, at least to begin with.

[niekberenschot]

Just tried a fresh install from master. The errors above only appear when installing for the first time. Everything seems to be running fine.

However, the security endpoint still results in a 404.

[BYK]

However, the security endpoint still results in a 404.

@niekberenschot - our friends (@jan-auer) from the Relay team just informed me that the URL should be /api/8/csp-report/?sentry_key=<redacted> not /api/8/security/.

Okay that was some confusion between us. Can you just make sure that request is hitting Relay and not Sentry Web?

[jan-auer]

@niekberenschot where did you get these URLs from? The "Client Keys" settings page should render the correct "Security Header Endpoint", which points to /api/8/security/. This endpoint is served by Relay as long as you satisfy the content-type requirement, which must be one of these.

Are you manually creating a CSP request or is your browser issuing one?