Skip to content

csp-report: ensure Sentry requests are made with SNI #1411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alxndrsn merged 54 commits into from
Nov 26, 2025
Merged

csp-report: ensure Sentry requests are made with SNI #1411

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
662c772
failing test: csp-report: handle upstream Sentry errors
Oct 16, 2025
459c0e6
don't hardcode https host
Oct 16, 2025
fa21001
ignore non socket error?
Oct 16, 2025
6c2e7b4
Update error expewctations
Oct 16, 2025
2503c9a
check correct errr
Oct 16, 2025
bcdca8d
tweak error expectation
Oct 16, 2025
6b97d58
set proxy_ssl_server_name
Oct 16, 2025
04e2418
try force hostname
Oct 16, 2025
82f9ec6
add HTTPS_HOST env var
Oct 18, 2025
b2cc8c8
remove explicit proxy_ssl_name
Oct 18, 2025
7569e54
remove proxy_ssl_server_name
Oct 18, 2025
34ff36c
use correct setting
Oct 18, 2025
8022d1c
test tidy-up
Oct 18, 2025
fa34900
test fake DNS with _correct_ SNI host
Oct 21, 2025
042107f
refactor initHttpsServer()
Oct 21, 2025
e2d91d6
fix refactor
Oct 21, 2025
de32ff4
generate PEM files
Oct 21, 2025
0486ef8
remove unused fn
Oct 21, 2025
a873474
Merge branch 'next' into csp-report-test
alxndrsn Nov 5, 2025
1ab8a67
Merge branch 'next' into csp-report-test
alxndrsn Nov 18, 2025
d743081
Merge branch 'next' into csp-report-test
alxndrsn Nov 20, 2025
24b7cca
introduce specific mock-sentry docker thingy
Nov 26, 2025
48c97e1
fix path
Nov 26, 2025
4a5dd59
Add comment re sentry port
Nov 26, 2025
77d2772
revert changes to mock http server
Nov 26, 2025
1d05f3c
reduce unused stuff
Nov 26, 2025
1c651a1
simpler?
Nov 26, 2025
619487c
simpler
Nov 26, 2025
447670a
parameterise tests to use other hostnames
Nov 26, 2025
fec386a
Check sentry actually received the CSP report
Nov 26, 2025
ea31312
assert sentry received reuqerst
Nov 26, 2025
555ded5
add more infra
Nov 26, 2025
9751293
die if no cert
Nov 26, 2025
848b38b
neater
Nov 26, 2025
fa3acce
more comment
Nov 26, 2025
54d2fc5
tidy
Nov 26, 2025
e5595e9
rename reports
Nov 26, 2025
a4af372
assert errors too
Nov 26, 2025
5c918c5
tidy
Nov 26, 2025
1c0d4f2
wip
Nov 26, 2025
0377eb7
fix
Nov 26, 2025
9d60707
more commentary
Nov 26, 2025
2aa2f22
coment SNICallback
Nov 26, 2025
71065e6
move requires to top
Nov 26, 2025
ec2c0d5
handle bad API key better
Nov 26, 2025
8afb2c0
change test order
Nov 26, 2025
ead44e0
outdated comment
Nov 26, 2025
46e6d0a
simplify end()
Nov 26, 2025
d6d592a
fix
Nov 26, 2025
567026e
name
Nov 26, 2025
b0034b5
update comments
Nov 26, 2025
589f3bc
lol
Nov 26, 2025
9529a71
remove unused method parma
Nov 26, 2025
681dce1
lint
Nov 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions test/nginx/mock-http-server/bad-cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDFzCCAf+gAwIBAgIUQX7dvQ1eABbaHSg6SNI8hLa3yQkwDQYJKoZIhvcNAQEL
BQAwGzEZMBcGA1UEAwwQYmFkLmV4YW1wbGUudGVzdDAeFw0yNTEwMTYxMjMxNDha
Fw0yNjEwMTYxMjMxNDhaMBsxGTAXBgNVBAMMEGJhZC5leGFtcGxlLnRlc3QwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDS0q55gE75/ntd0a5APTdhLbSt
Ues0UcJiFeAvBFsZyHonmDGpt8jfsLQKd4Z0vE23Dg2cDt0DhhC13xukUhv2faiV
G9S//UfQKcnFKfh9ZyJruazz2TFGWYEDUx1SqjxsXZaO1788AJb9JtwdjwiDhgmg
gKFjuPR2rt6IJTjnTuGDv5ejRtjM0aCP2OZJGb6jpN8VI+N42KdTCr3smndbzUYd
pA26Ter4MBpuWldYFFzNjzAliZ373cpF616ODfmKnGfeoR538jmu8qwszG1EDxfY
NVfMZmRL5m/BqCMq7emwZoito59wykfgExZsRn4ZdrgsJObpWjCILiF+7R/dAgMB
AAGjUzBRMB0GA1UdDgQWBBTSQ6/r2BkJfAP1R/zSF/eR1XsGWDAfBgNVHSMEGDAW
gBTSQ6/r2BkJfAP1R/zSF/eR1XsGWDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQBwJWtAErfnJRpgKASTiUAksNe1x1STExsygBM92YZtvwhPZBtL
PZ3FeLGaSyL0K+H1m+P0DF0Rbqigmdzr95NCBB7ZJNfRtzJoDf/2BkFNgr6uOtrc
1JSw793Ql0o7RcjHWoN9PwotrKwOp6E8ywagvncx5+QOnQNwHSa0KCuoCZ4KIC6D
Z33AKWX2/CnB+uhpL8JxdNYqcyomAnKUw3Xgqhb3HVfTO24axVH/lo3wGQkX0jS6
S+qCs1ul0ALc/d2W3VQPTmcaGSHpTY/ab02Ww+ohQIV+k/JM4xRGEACHZEHsgrLD
EDeD182brp031W6lxZ9nZuw/891PdQ9Hsrnc
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions test/nginx/mock-http-server/bad-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDS0q55gE75/ntd
0a5APTdhLbStUes0UcJiFeAvBFsZyHonmDGpt8jfsLQKd4Z0vE23Dg2cDt0DhhC1
3xukUhv2faiVG9S//UfQKcnFKfh9ZyJruazz2TFGWYEDUx1SqjxsXZaO1788AJb9
JtwdjwiDhgmggKFjuPR2rt6IJTjnTuGDv5ejRtjM0aCP2OZJGb6jpN8VI+N42KdT
Cr3smndbzUYdpA26Ter4MBpuWldYFFzNjzAliZ373cpF616ODfmKnGfeoR538jmu
8qwszG1EDxfYNVfMZmRL5m/BqCMq7emwZoito59wykfgExZsRn4ZdrgsJObpWjCI
LiF+7R/dAgMBAAECggEACV58i4DEwb5p/B7j6A3wZpyx4Vv5IG+bvGEtf9lpNQmg
SB8u4dR9lFdVgPuT2Z8+supod21/q/bqyjJal6BghsFJ2yqL92ZJqToaMe1uEiCh
unjbc1DNLEuw/JVWgcR3//beyIVVBdUe4Kw37wZawgGUbvIYegaPsrCNyi4hS8I0
hEqtLq6pZvjWp5EahsUNdJ/4xCbhZDmmucDgW7/fiBOHCZja5oL/15xsMp2Y/Y0A
ZSnQf4Y/vBUNe6XyerwFeUEkO9f+/V50k8YaSIh11u5SUWpAqOck3vEueRoJ+ATb
ghMwb789YNZvrdMlxN4Oxt9OAYm7fRyk8IF0daB7gQKBgQDplVwkvaZnvPYR89va
p4q7tplI+XTpE0NE3NVLg5njcrR8JkJg0xeHJB0oojZrtqlWazsZhBUS63Fy6eOs
5IFFj0BOg9iYe8LbbHGqfFHSKnxZwT85FG1moJogpco1dcpwnTORSrVjJtfgNlz6
gW2bq7kq+47jWZ2xpDcADe0snQKBgQDnDiVwlILx3PzyYXhmklhzmCSlhfAmYUXX
l8bGVzoJpys8v7VPQrjXiPyXb5pO8OvuPeuyT3g2TWYBxiv79pddP0tEjqqQrSuj
Jp/w+h19fPh2IA1zN8rG5tf8G/QpCG+tYTC5VjbIkM7koSgaa/ut1Bbdld3HiqBo
dqy6mEA8QQKBgAkd+VC9zkbySzB8MjKgo3ucLvN4OSX3yIJhlDm0U0dbbMwDukeJ
Nbvinvi9DB68LHPhD5d5XlE0u2Le2jIfYSRT6RCneMbK3douq2kaHR905RGjx1H1
CCgfUKTBk9juVg57NE4Rem76TybDOHHWp26SD1IsK3GYR91tKXBpGr7JAoGAflFQ
jKTUlc/gBc7d2Q3HB6M03b1E1ma1nTEf/c0wMJjQ3YxdXjC3BzagCVZ9QQ0bnwsB
MWGa8e0MiInEACMHC3aP+rIYc7IIulBifobu2m0ZFNNfJw9ob6dCi1To/gnbrCkH
TzvgBXSNd5bXauKAHL9npMrLDc0u9w1yTyzvaUECgYAzv8eME44+/Z66kYnzhPAu
ZIU6TA0iNQGgnSUflh6RoZG+fol5TGrhwqF3eBWLfBuqCjKWzR+dk0UGsPzgWAbj
PWEz6MJtmne6jW48PybGikhzqmmFKZueJNXJ1/bxa9gXE53JT5q0npjIR/aOLDS6
IL/EeFzttWUHyslXOvaFoA==
-----END PRIVATE KEY-----
20 changes: 20 additions & 0 deletions test/nginx/mock-http-server/good-cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDLTCCAhWgAwIBAgIUXDxRk8BeksLqR/9TPhl2VxdaSBQwDQYJKoZIhvcNAQEL
BQAwJjEkMCIGA1UEAwwbby1mYWtlLWRzbi5pbmdlc3Quc2VudHJ5LmlvMB4XDTI1
MTAxNjExNDg0N1oXDTI2MTAxNjExNDg0N1owJjEkMCIGA1UEAwwbby1mYWtlLWRz
bi5pbmdlc3Quc2VudHJ5LmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA1rL27rORMllMDc4/1ngoOjw/uZRvPZCGAXdKZKE+QT7q5+ZvfGS28KLdugxb
0H2rbMBsSjxw5u5CCXTE3gGZ+T9d+9mL6OCisP+UIo0OtnZsqeQKmt93Ucf8Bnl9
EfmYvPM/SaNt7tEVG0w4qYR0e4Bdk5AS+A4gj0dEZNrO052zlPkCLgPlCtCHjLqD
57Tu/VOuMRbbGnoDKrzPZKKeRgngghNTq1JMYtSKt3Ji3m+w/V8yqSyuaPTJO2kW
3nCHlEI+kBLDsQ5NRZxbvLltptaw2KEXA94WUSdlMDpq4tUuMKOlWp9E9GsMDQyL
B5YKdDj49fgPbSZ+8OVH6Gcn8QIDAQABo1MwUTAdBgNVHQ4EFgQUUzNTJKVdOiwE
b4jyPZvzjfq5PgwwHwYDVR0jBBgwFoAUUzNTJKVdOiwEb4jyPZvzjfq5PgwwDwYD
VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAKdUlX3/kIGV7JEaywOTA
VxY+oEFgXWklEDdtoBE9X2SqrfypTuG3vk7tkmUIgY5MNEx3RKKhQanwtimwz+mJ
dYqQAQ2OLaDV++m7tf6BK0ZVKQIN47pAzuCC9QO0Ep7fWpyWtxCb+RmjCgElfVmu
7A9Gj7d9fzJlDbSHDXy15gWjDga3KjEIJ7erhxB/nKLzOykMEsBzDZC3gx6Y8RIx
8yFUkXxftWECqj+cuSovbhEhy8O7LyHtnVOXd5ljhirBBM/VqS8CZPEjKXtsQbvI
RvdRZgVAQKzvbsosqPTZV94l0h2opCS5aR/1V6AXKaKhtuDJ4W7hncjQpuRSm9E0
cQ==
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions test/nginx/mock-http-server/good-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDWsvbus5EyWUwN
zj/WeCg6PD+5lG89kIYBd0pkoT5BPurn5m98ZLbwot26DFvQfatswGxKPHDm7kIJ
dMTeAZn5P1372Yvo4KKw/5QijQ62dmyp5Aqa33dRx/wGeX0R+Zi88z9Jo23u0RUb
TDiphHR7gF2TkBL4DiCPR0Rk2s7TnbOU+QIuA+UK0IeMuoPntO79U64xFtsaegMq
vM9kop5GCeCCE1OrUkxi1Iq3cmLeb7D9XzKpLK5o9Mk7aRbecIeUQj6QEsOxDk1F
nFu8uW2m1rDYoRcD3hZRJ2UwOmri1S4wo6Van0T0awwNDIsHlgp0OPj1+A9tJn7w
5UfoZyfxAgMBAAECggEABbOTNefQGmiPadrxLEx80f4VWaPo19dRjbKpp7Y1+WTW
t2GR0pl4l7eVgIoxOn5J2f2aqpaED4fiek6O50/e00UE5YojimPDwkRJPmklS8Bl
lpXjF7WJPUNcrJ3Xjc2Fajgh9T5JLjNAdpz9sLe/IaP5KDDmZg62++MSPITogutT
1QvzHFq+XcaWviAu0w8Dx9zy3XaWwJXNAEIl0+sit/pwOeYpZpHMVpjDSM5Xz0kr
tMM1JNL02x3v0tp0WWye5CnSHSEGc0WINGNT+ya23bb+pNejdUYXfjUWVUhIRYcN
MG99zM5fxtL2WAtdL4vzd3t11ggSHHOfyqVuAN3R+QKBgQD7WMDfjTSvS6hi347F
1H8GM70MXWtKtSXyBr2ZNrXh705M2WtlYgF4Cl5IaBAiUbYYyKjcFO+hmeZSfSws
6NluUv1/OBPdU1jaO86Ohc1DzM4bAScxPG88HNZ/nES4+KPVZ3GWPxTa5LQXHCzd
rIUfmzoBT9/dwdbDm6irWt9s6QKBgQDarIV742jazXMyFe6A1GgJf0pLDcw5Yc8G
hc+5YM54G1tdenKs2bJd6bi1SpDrWDJXlgJ97BgtI/XtF+NXFa3/v1WV9lwJM8Vg
ONBzQDKQbIYKh7pH53SflHLxeZzg69GE/WM6QScmYxUN6MV14Juk5UCZLaylk5g2
tKZ6ttpdyQKBgAgM0KiYSi6vGqaICHeXlbXqJEzoFQ6gfKWix6HHmc2xr21QrVri
568jjd99zb57pXxnuNjLpt0jI7hSn/6UOpqI9+uCLUiyaa8bqULxUCCyx4sf31R5
Xgqr1cbih2TxObYVCRNJ0+4q0wXGdj1nUCAyBYqTN1VP5wP+0UkjsPI5AoGBAJ2O
eI8PB1m/diS8UKBaaquNH4Z8Zo1hv7y/ZS/4ZEt9ypLLyxxnrnCkGgXluA0Z+wvI
dfssxS6hHmy6LX9ti3Ud8xid7SpkNu5hgS/JLaWJy/qCWOG+DvV8DGWYbkRRJSFh
QMGUeBTchysCcGPCdeKVm7nCgwa6FY41E06PuT6hAoGBAJnq0Lj0fhrfYjbaziC1
NfYtffe6tMRD3E79KUk4/73Ria4m24VI3iIZKDgLL7CWZYJz3zyefL6NZ6zr56yl
HoXVcfyg10IorEbzbc091NQx8409YxtONSzs+ddi2hh6Gjq+wRl0p3LpXm2AT6fc
a7hoG1+xFK0JQw17i/vN4Qjr
-----END PRIVATE KEY-----
60 changes: 58 additions & 2 deletions test/nginx/mock-http-server/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
const express = require('express');

const port = process.env.PORT || 80;
const mode = process.env.MODE || 'http';
const log = (...args) => console.log('[mock-http-server]', ...args);

const requests = [];
Expand All @@ -9,6 +10,33 @@

app.use((req, res, next) => {
console.log(new Date(), req.method, req.originalUrl);
if(req.socket.encrypted) {
// Get the local certificate (the server's certificate)
const certificate = req.socket.getCertificate();

if(certificate) {
console.log('--- Secure Context Details ---');
console.log('Subject:', certificate.subject.CN); // Common Name
console.log('Issuer:', certificate.issuer.CN);
console.log('Valid From:', certificate.valid_from);
console.log('Valid To:', certificate.valid_to);
console.log('Serial Number:', certificate.serialNumber);
// ... and more details
console.log('------------------------------');

if(certificate.subject.CN !== 'o-fake-dsn.ingest.sentry.io') {
// try to simulate an SNI / connection error
console.log('Destroying connection...');
return req.socket.destroy();
}
} else {
console.log('Secure connection, but no local certificate found (unexpected for server-side TLS)');
}
} else {
// This part runs if you are running an HTTP server or if a proxy

Check failure on line 36 in test/nginx/mock-http-server/index.js

View workflow job for this annotation

GitHub Actions / test-nginx 

Trailing spaces not allowed
// is terminating SSL before Express (see note below).
console.log('Insecure HTTP request.');
}
next();
});

Expand Down Expand Up @@ -47,6 +75,34 @@
res.send('OK');
}));

app.listen(port, () => {
log(`Listening on port: ${port}`);
const server = (() => {
if(mode === 'http') {
return app;
} else if(mode === 'https') {
const { readFileSync } = require('node:fs');
const { createServer } = require('node:https');
const { createSecureContext } = require('node:tls');

const pem = name => readFileSync(`${name}.pem`, 'utf8');
const creds = name => ({ key:pem(`${name}-key`), cert:pem(`${name}-cert`) });

const goodCreds = creds('good');

const opts = {
...creds('bad'),
SNICallback: (servername, cb) => {
console.log('SNICallback:', servername);
cb(null, createSecureContext(goodCreds));
},
};

return createServer(opts, app);
} else {
console.error(`Unrecognised mode: '${mode}'; should be one of http, https. Cannot start server.`);
process.exit(1);
}
})();

server.listen(port, () => {
log(`Listening with ${mode} on port: ${port}`, server === app);
});
13 changes: 12 additions & 1 deletion test/nginx/nginx.test.docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,14 @@ services:
- "8383:8383"
environment:
- PORT=8383
sentry-mock:
build:
dockerfile: mock-http-service.dockerfile
ports:
- "443:443"
environment:
- MODE=https
- PORT=443
nginx:
build:
context: ../..
Expand All @@ -22,10 +30,13 @@ services:
depends_on:
- service
- enketo
- sentry-mock
extra_hosts:
- o-fake-dsn.ingest.sentry.io:host-gateway
environment:
- DOMAIN=odk-nginx.example.test
- SENTRY_KEY=example-sentry-key
- SENTRY_ORG_SUBDOMAIN=example-sentry-org-subdomain
- SENTRY_ORG_SUBDOMAIN=o-fake-dsn
- SENTRY_PROJECT=example-sentry-project
- SSL_TYPE=selfsign
- OIDC_ENABLED=false
Expand Down
38 changes: 38 additions & 0 deletions test/nginx/test-nginx.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -572,6 +572,44 @@ describe('nginx config', () => {
});
});
});

describe('/csp-report', () => {
// This initial test is the control - Sentry will reject requests
// made directly to their IP address.
it('upstream should reject requests by IP address', async () => {
// given
let caught;

// when
try {
await fetch('https://127.0.0.1');
} catch(err) {
caught = err;
}

// then
assert.isOk(caught);
assert.instanceOf(caught, TypeError);
assert.equal(caught.message, 'fetch failed');
// and
assert.isOk(caught.cause);
assert.equal(caught.cause.name, 'SocketError');
assert.equal(caught.cause.message, 'other side closed');
});

it('should forward requests to Sentry, verbatim', async () => {
// when
const res = await fetchHttps('/csp-report', {
method: 'POST',
headers: { 'Content-Type':'application/json' },
body: JSON.stringify({ hiya:'sentry' }),
});

// then
assert.equal(res.status, 200);
assert.equal(await res.text(), 'OK');
});
});
});

function fetchHttp(path, options) {
Expand Down
Loading