Load Balancer with 2-way SSL authentication support

[grammy-jiang]

Problem Statement

Hi,

I am configuring Nginx as load balancer in front of Sentry and 2-way SSL authentication is enabled.

I can visit the web GUI as usual after I add the client cert and key to the browser. But the server can't receive the log messages, and I notice that in sentry-python it doesn't support two-way SSL authentication as a client - from the source code no client cert related options are passed to the urllib3.PoolManager:

• sentry-python/sentry_sdk/transport.py at 69ecd87aa4539de03754af5afb4af4be53efd260 · getsentry/sentry-python
• sentry-python/sentry_sdk/transport.py at 69ecd87aa4539de03754af5afb4af4be53efd260 · getsentry/sentry-python

The document of urllib3.PoolManager:

• Advanced Usage - urllib3 1.26.3 documentation

Solution Brainstorm

From these lines of options defined, I think it can be configured in the same way:

• sentry-python/sentry_sdk/transport.py at 69ecd87aa4539de03754af5afb4af4be53efd260 · getsentry/sentry-python

  options["ca_certs"] = (
      ca_certs  # User-provided bundle from the SDK init
      or os.environ.get("SSL_CERT_FILE")
      or os.environ.get("REQUESTS_CA_BUNDLE")
      or certifi.where()
  )

  Example:

  options["cert_file"] = (
      cert_file  # User-provided bundle from the SDK init
      or os.environ.get("CLIENT_CERT_FILE")
  )
  options["key_file"] = (
      key_file  # User-provided bundle from the SDK init
      or os.environ.get("CLIENT_KEY_FILE")
  )

[szokeasaurusrex]

Hi @grammy-jiang, thanks for the feature suggestion! This is something we can definitely look into adding.

I will put the issue on our internal backlog, but it will likely take us some time to get around to implementing this feature, since we have other higher-priority projects that we are working on at the moment. However, if you would like to contribute a PR, we would be happy to review it and help get it merged.

[grammy-jiang]

Thanks for your reply, @szokeasaurusrex .

Yes, this is a quite simple change, I can do it.

[grammy-jiang]

I also find another issue about Gitlab Integration with two-way SSL authentication:

Currently, the Gitlab integration in Sentry does not support the Gitlab instance with two-way SSL authentication enabled.

I haven't got a chance to investigate the reason, but I can give it a try.

[szokeasaurusrex]

I also find another issue about Gitlab Integration with two-way SSL authentication

@grammy-jiang Please raise this issue in the getsentry/sentry repo, since it seems like this is related to the Sentry server, not the Sentry Python SDK. The SDK does not integrate with GitLab, only the Sentry server does.