Skip to content

Self hosted Caddy reverse proxy example does not work #15257

New issue
New issue
Open
Open
Self hosted Caddy reverse proxy example does not work#15257
Labels
DocsProduct
@SteppingHat

Description

@SteppingHat
SteppingHat
opened on Oct 17, 2025

Which part? Which one?

Self hosted reverse proxy
https://develop.sentry.dev/self-hosted/experimental/reverse-proxy/#caddy

Description

With a fresh installation of sentry self hosted and Caddy, they given documented Caddy configuration does not work out of the box.

The web endpoint is still accessible as per usual, however ingesting event fails with the following CSRF related error:

web-1 | 23:24:33 [WARNING] django.security.csrf: Forbidden (Referer checking failed - no Referer.): /api/2/store/ (status_code=403 request=<WSGIRequest: POST '/api/2/store/'>)
web-1 | 23:24:33 [INFO] sentry.access.api: api.access (method='POST' view='django.views.generic.base.RedirectView' response=403 user_id='None' is_app='None' token_type='None' is_frontend_request='False' organization_id='None' auth_id='None' path='/api/2/store/' caller_ip='xxx.xxx.xxx.xxx user_agent='sentry.php.symfony/3.2.1' rate_limited='False' rate_limit_category='None' request_duration_seconds=0.0060579776763916016 rate_limit_type='DNE' concurrent_limit='None' concurrent_requests='None' reset_time='None' group='None' limit='None' remaining='None')
web-1 | 23:25:45 [INFO] sentry.web.frontend.csrf_failure: csrf_failure (reason='Referer checking failed - no Referer.')
web-1 | 23:25:45 [WARNING] django.security.csrf: Forbidden (Referer checking failed - no Referer.): /api/34/envelope/ (status_code=403 request=<WSGIRequest: POST '/api/34/envelope/'>)

This seems to be a known issue from years ago
https://forum.sentry.io/t/event-submission-rejected-by-csrf/10482/2

Based on the solution posted in the forum, ingest traffic needs to be proxied through the relay container, rather than direct to the web container. This differs from the example documentation which proxies all traffic through the web container.

Suggested Solution

My working configuration is as follows, based on the research across various forum posts and sentry doco, as well as what actually ended up working.

With verification, this is what I'm proposing to update the caddy example section to.

...
        handle @ingest_endpoint {
                header {
                        Access-Control-Allow-Origin *
                        Access-Control-Allow-Credentials false
                        Access-Control-Allow-Methods GET,POST,PUT
                        Access-Control-Allow-Headers sentry-trace,baggage
                        Access-Control-Expose-Headers sentry-trace,headers
                }
                reverse_proxy relay:3000 {                   # use relay:3000 instead of web:9000
                        header_up Host {upstream_hostport}   # remove health checks as relay doesn't provide an appropriate endpoint
                }
        }
...

Metadata

Metadata

Assignees

No one assigned

    Labels

    DocsProduct

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions