Skip to content

ref: sound SENTRY_DISALLOWED_IPS on the configuration file #3981

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ref: sound SENTRY_DISALLOWED_IPS on the configuration file #3981

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions sentry/sentry.conf.example.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,60 @@ def get_internal_network():
# AI model prices from various public APIs.
SENTRY_AIR_GAP = False

# As of 25.9.0 (September 2025 release), Sentry enforces tighter restrictions
# of allowed IP addresses for outgoing requests. This is to prevent
# accidentally leaking sensitive information to third parties.
# By default, Sentry will not allow requests to private IP addresses.
# You can override this by configuring the allowed IP addresses here.
SENTRY_DISALLOWED_IPS: tuple[str, ...] = (
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this list maintained on sentry repository and once you remove an IP from here you can send a request to that removed IP?

SENTRY_DISALLOWED_IPS is a little misleading name IMHO.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this list maintained on sentry repository and once you remove an IP from here you can send a request to that removed IP?

Yes.

SENTRY_DISALLOWED_IPS is a little misleading name IMHO.

cc @oioki

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it's better for self-hosted to maintain a SENTRY_OUTGOING_ALLOWED_IPS list and remove the items from getsentry/sentry list?

Not that IANA is going to change this list :) It has better readability for users to maintain allowed IPs.

# https://en.wikipedia.org/wiki/Reserved_IP_addresses#IPv4
"0.0.0.0/8",
"10.0.0.0/8",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"172.16.0.0/12",
"192.0.0.0/29",
"192.0.2.0/24",
"192.88.99.0/24",
"192.168.0.0/16",
"198.18.0.0/15",
"198.51.100.0/24",
"224.0.0.0/4",
"240.0.0.0/4",
"255.255.255.255/32",
# https://en.wikipedia.org/wiki/IPv6#IPv4-mapped_IPv6_addresses
# Subnets match the IPv4 subnets above
"::ffff:0:0/104",
"::ffff:a00:0/104",
"::ffff:6440:0/106",
"::ffff:7f00:0/104",
"::ffff:a9fe:0/112",
"::ffff:ac10:0/108",
"::ffff:c000:0/125",
"::ffff:c000:200/120",
"::ffff:c058:6300/120",
"::ffff:c0a8:0/112",
"::ffff:c612:0/111",
"::ffff:c633:6400/120",
"::ffff:e000:0/100",
"::ffff:f000:0/100",
"::ffff:ffff:ffff/128",
# https://en.wikipedia.org/wiki/Reserved_IP_addresses#IPv6
"::1/128",
"::ffff:0:0/96",
"64:ff9b::/96",
"64:ff9b:1::/48",
"100::/64",
"2001:0000::/32",
"2001:20::/28",
"2001:db8::/32",
"2002::/16",
"fc00::/7",
"fe80::/10",
"ff00::/8",
)

################
# Node Storage #
################
Expand Down