docs(self-hosted): handle reverse proxy cors issues for ingest endpoints (#12513)

aldy505 · web-flow · commit 8eb562f8549f · 2025-04-23T14:39:31.000-07:00
## DESCRIBE YOUR PR Someone on Discord pointed out that they had CORS issues from the browser when submitting events to Sentry. This patch is to make sure that would never happen. ## IS YOUR CHANGE URGENT? Help us prioritize incoming PRs by letting us know when the change needs to go live. - [ ] Urgent deadline (GA date, etc.):  - [ ] Other deadline:  - [x] None: Not urgent, can wait up to 1 week+ ## SLA - Teamwork makes the dream work, so please add a reviewer to your PRs. - Please give the docs team up to 1 week to review your PR unless you've added an urgent due date to it. Thanks in advance for your help! ## PRE-MERGE CHECKLIST *Make sure you've checked the following before merging your changes:* - [ ] Checked Vercel preview for correctness, including links - [ ] PR was reviewed and approved by any necessary SMEs (subject matter experts) - [ ] PR was reviewed and approved by a member of the [Sentry docs team](https://github.com/orgs/getsentry/teams/docs) ## LEGAL BOILERPLATE  Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. and is gonna need some rights from me in order to utilize my contributions in this here PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms. ## EXTRA RESOURCES - [Sentry Docs contributor guide](https://docs.sentry.io/contributing/)
diff --git a/develop-docs/self-hosted/experimental/external-storage.mdx b/develop-docs/self-hosted/experimental/external-storage.mdx
@@ -4,11 +4,12 @@ sidebar_title: External Storage
 sidebar_order: 90
 ---
 
-In some cases, storing Sentry data on-disk is not really something people can do. Sometimes, it's better to offload it into some bucket storage (like AWS S3 or Google Cloud Storage).
-
 <Alert title="Important" level="warning">
     These are community-contributed docs. Sentry does not officially provide support for self-hosted configurations beyond the default install.
 </Alert>
+
+In some cases, storing Sentry data on-disk is not really something people can do. Sometimes, it's better to offload it into some bucket storage (like AWS S3 or Google Cloud Storage).
+
 <Alert title="Note">
     After changing configuration files, re-run the <code>./install.sh</code> script, to rebuild and restart the containers. See the <Link to="/self-hosted/#configuration">configuration section</Link> for more information.
 </Alert>
diff --git a/develop-docs/self-hosted/experimental/reverse-proxy.mdx b/develop-docs/self-hosted/experimental/reverse-proxy.mdx
@@ -8,25 +8,25 @@ sidebar_order: 80
     These are community-contributed docs. Sentry does not officially provide support for self-hosted configurations beyond the default install.
 </Alert>
 
-Adding a reverse proxy in front of your Sentry deployment is strongly recommended for one big reason: you can fine tune every configuration to fit your current setup. A dedicated reverse proxy that does SSL/TLS termination that also forwards the client IP address as Docker Compose internal network (as this is [close to impossible to get otherwise](https://github.com/getsentry/self-hosted/issues/554)) would give you the best Sentry experience.
+Adding a reverse proxy in front of your Sentry deployment is strongly recommended for one big reason: you can fine tune every configuration to fit your current setup. A dedicated reverse proxy that does SSL/TLS termination that also forwards the client IP address as Docker Compose internal network (as this is [close to impossible to get otherwise](https://github.com/getsentry/self-hosted/issues/554)) would give you the best Sentry experience.
 
 Once you have setup a reverse proxy to your Sentry instance, you should modify the `system.url-prefix` in the `config.yml` file to match your new URL and protocol. You should also update the SSL/TLS section in the `sentry/sentry.conf.py` script, otherwise you may get CSRF-related errors when performing certain actions such as configuring integrations.
 
-Keep in mind that all this setup uses single-nodes for all services, including Kafka. For larger loads, you'd need a beefy machine with lots of RAM and disk storage. To scale up even further, you are very likely to use clusters with a more complex tool, such as Kubernetes. Due to self-hosted installations' very custom nature, we do not offer any recommendations or guidance around scaling up. We do what works for us for our thousands of customers over at [sentry.io](https://sentry.io/) and would love to have you over when you feel your local install's maintenance becomes a burden instead of a joy.
+Keep in mind that all this setup uses single-nodes for all services, including Kafka. For larger loads, you'd need a beefy machine with lots of RAM and disk storage. To scale up even further, you are very likely to use clusters with a more complex tool, such as Kubernetes. Due to self-hosted installations' very custom nature, we do not offer any recommendations or guidance around scaling up. We do what works for us for our thousands of customers over at [sentry.io](https://sentry.io/) and would love to have you over when you feel your local install's maintenance becomes a burden instead of a joy.
 
 ## Enabling HTTPS
 
-We recommend TLS termination to be done on your own dedicated load balancer or proxy. Although you can set it on the `nginx.conf` file, it is not recommended as newer self-hosted releases might alter some configurations on the file. Some examples are available on [Reverse Proxy Examples](#reverse-proxy-examples) section.
+We recommend TLS termination to be done on your own dedicated load balancer or proxy. Although you can set it on the `nginx.conf` file provided by the self-hosted installation, it is not recommended as newer self-hosted releases might alter some configurations on the file. Some examples are available on [Reverse Proxy Examples](#reverse-proxy-examples) section.
 
 ## Expose Only Ingest Endpoint Publicly
 
 Certain self-hosted deployments requires the dashboard to be accessed only via internal network. But, they also need to provide public Sentry ingestion endpoint for client devices such as mobile and desktop apps. You can expose some of these endpoints publicly:
 
-- `/api/[1-9]\d*/envelope/` - Main endpoint for submitting event from SDK
-- `/api/[1-9]\d*/minidump/` - Endpoint for submitting minidump from native SDKs
-- `/api/[1-9]\d*/security/` - Endpoint for submitting security-related such as CSP errors
-- `/api/[1-9]\d*/store/` - Old endpoint for submitting event from SDK, it is deprecated.
-- `/api/[1-9]\d*/unreal/` - Endpoint for submitting crash report from Unreal Engine SDK
+- `/api/[1-9]\d+/envelope/` - Main endpoint for submitting event from SDK
+- `/api/[1-9]\d+/minidump/` - Endpoint for submitting minidump from native SDKs
+- `/api/[1-9]\d+/security/` - Endpoint for submitting security-related such as CSP errors
+- `/api/[1-9]\d+/store/` - Old endpoint for submitting event from SDK, it is deprecated.
+- `/api/[1-9]\d+/unreal/` - Endpoint for submitting crash report from Unreal Engine SDK
 
 The `[1-9]\d+` is a regular expression string that is acquired from the project DSN.
 
@@ -71,6 +71,21 @@ server {
     proxy_buffer_size    128k;
     proxy_buffers        4 256k;
 
+    # Handle CORS-related headers for ingest endpoints.
+    # You can also only expose the ingest endpoints only,
+    # by removing the other `location` directive.
+    #
+    # It is recomended to put a rate limiter on the ingest endpoints.
+    location ~ ^/api/[1-9]\d*/(envelope|minidump|security|store|unreal)/ {
+        add_header Access-Control-Allow-Origin * always;
+        add_header Access-Control-Allow-Credentials false always;
+        add_header Access-Control-Allow-Methods GET,POST,PUT always;
+        add_header Access-Control-Allow-Headers sentry-trace,baggage always;
+        add_header Access-Control-Expose-Headers sentry-trace,headers always;
+        include proxy_params;
+        proxy_pass http://your-sentry-ip:9000;
+    }
+
     location / {
         include proxy_params;
         proxy_pass http://your-sentry-ip:9000;
@@ -107,10 +122,35 @@ It is also recommended to fine tune your NGINX for some performance benefits. Yo
 
 ```caddyfile
 sentry.yourcompany.com {
-    reverse_proxy your-sentry-ip:9000 {
-        health_uri /_health/
-        health_status 2xx
-        header_up Host {upstream_hostport}
+    # Handle CORS-related headers for ingest endpoints.
+    # You can also only expose the ingest endpoints only,
+    # by removing the other `handle` directive.
+    #
+    # It is recomended to put a rate limiter on the ingest endpoints.
+    @ingest_endpoint path_regexp ^/api/[1-9]\d+/(envelope|minidump|security|store|unreal)/
+
+    handle @ingest_endpoint {
+        header {
+            Access-Control-Allow-Origin *
+            Access-Control-Allow-Credentials false
+            Access-Control-Allow-Methods GET,POST,PUT
+            Access-Control-Allow-Headers sentry-trace,baggage
+            Access-Control-Expose-Headers sentry-trace,headers
+        }
+
+        reverse_proxy your-sentry-ip:9000 {
+            health_uri /_health/
+            health_status 2xx
+            header_up Host {upstream_hostport}
+        }
+    }
+
+    handle {
+        reverse_proxy your-sentry-ip:9000 {
+            health_uri /_health/
+            health_status 2xx
+            header_up Host {upstream_hostport}
+        }
     }
 
     # By default, the TLS is acquired from Let's Encrypt
@@ -133,11 +173,6 @@ sentry.yourcompany.com {
     #         events 100
     #     }
     # }
-
-    # To expose only ingest endpoint publicly, add the named matcher below before `reverse_proxy` directive
-    # @ingest_endpoint {
-    #     path_regexp /api/[1-9]\d+/(envelope|minidump|security|store|unreal)/
-    # }
 }
 ```
 
@@ -147,24 +182,39 @@ For detailed documentation on Caddyfile configuration, see [Caddy documentation]
 
 [Traefik](https://doc.traefik.io/traefik/) is another reverse proxy that provides a lot of plugin and integrations out of the box. It automatically handles TLS certificate management via ACME, too. After you [install Traefik](https://doc.traefik.io/traefik/getting-started/install-traefik/), add a configuration to Traefik as follows (this example is using the YAML file provider, convert to your prefered configuration provider as needed).
 
+The configuration below is intended for Traefik v3 with a File Provider.
+
 ```yaml
 http:
   routers:
+    # Handle CORS-related headers for ingest endpoints.
+    # You can also only expose the ingest endpoints only,
+    # by removing the other `handle` directive.
+    #
+    # It is recomended to put a rate limiter on the ingest endpoints.
+    sentry-ingest:
+      entryPoints:
+        - web       # Assuming this your HTTP entrypoint
+        - websecure # Assuming this is your HTTPS entrypoint
+      service: sentry@file
+      rule: "Host(`sentry.yourcompany.com`) && PathRegexp(`^/api/[1-9]\\d+/(envelope|minidump|security|store|unreal)`)"
+      tls:
+        certResolver: letsencrypt # Assuming you have a TLS certificate resolver named "letsencrypt"
+      middlewares:
+        - https_redirect@file
+        - cors_headers@file # For handling browser clients
+        - rate_limiter@file
     sentry:
       entryPoints:
         - web       # Assuming this your HTTP entrypoint
         - websecure # Assuming this is your HTTPS entrypoint
       service: sentry@file
       rule: "Host(`sentry.yourcompany.com`)"
-      # If you want to expose only ingest endpoint publicly
-      # rule: "Host(`sentry.yourcompany.com`) && PathPrefix(`/api/{id:[1-9]\d*}/envelope`, `/api/{id:[1-9]\d*}/minidump`, `/api/{id:[1-9]\d*}/security`, `/api/{id:[1-9]\d*}/store`, `/api/{id:[1-9]\d*}/unreal`)"
       tls:
         certResolver: letsencrypt # Assuming you have a TLS certificate resolver named "letsencrypt"
       # Enable middleware as needed
       middlewares:
         - https_redirect@file
-        - cors_headers@file # For handling browser clients
-        - rate_limiter@file
 
   services:
     sentry:
@@ -187,8 +237,6 @@ http:
     cors_headers:
       headers:
         customResponseHeaders:
-          # We can't remove header on Traefik, but we can put it to some other values
-          server: "Your Company Name"
           addVaryHeader: true
           # If you want to set this to true, adjust "accessControlAllowOriginList" to a valid domain and remove the asterisk wildcard
           accessControlAllowCredentials: false
@@ -201,12 +249,9 @@ http:
             - GET
             - POST
             - PUT
-            - PATCH
-            - DELETE
           accessControlExposeHeaders:
             - "sentry-trace"
             - "baggage"
-          sslRedirect: true
     rate_limiter:
       rateLimit:
         average: 100
@@ -254,12 +299,27 @@ frontend https_bind
     bind *:443 ssl crt /etc/haproxy/certs/ name https_port
     mode http
 
-    acl sentry_domain hdr(host) -i sentry.yourcompany.com
+    acl sentry_domain   hdr(host) -i sentry.yourcompany.com
+    acl ingest_endpoint path_reg -i /api/[1-9]\d+/(envelope|minidump|security|store|unreal)/
+
+    # Handle CORS-related headers for ingest endpoints.
+    # You can also only expose the ingest endpoints only,
+    # by removing the other `handle` directive.
+    #
+    # It is recomended to put a rate limiter on the ingest endpoints.
+    use_backend sentry_ingest if sentry_domain ingest_endpoint
+
     use_backend sentry if sentry_domain
 
-    # To expose only ingest endpoints publicly, add the acl below on `use_backend` directive
-    # acl ingest_endpoint path_reg -i /api/[1-9]\d+(envelope|minidump|security|store|unreal)/
-    # use_backend sentry if sentry_domain ingest_endpoint
+backend sentry_ingest
+    mode http
+    option httpchk
+    server server1 your-sentry-ip:9000 check
+    http-response set-header Access-Control-Allow-Origin *
+    http-response set-header Access-Control-Allow-Credentials false
+    http-response set-header Access-Control-Allow-Methods GET,POST,PUT
+    http-response set-header Access-Control-Allow-Headers sentry-trace,baggage
+    http-response set-header Access-Control-Expose-Headers sentry-trace,headers
 
 backend sentry
     mode http
