Setting up HTTPS for self-hosted Sentry

Sentry, a very powerful error-tracking tool, can easily be self-hosted. Their self-hosted Github repo and documentation explain this very well.

To add HTTPS support to the instance isn’t explained in detail though. In this post I give a brief description of how HTTPS using Traefik and Let’s Encrypt can be added quite easily.

Traefik
Traefik is a reverse-proxy, meaning it is the door to your application, Sentry in our case. Traefik routes incoming requests to specific applications based on routing rules. As Sentry comes with Nginx, and Nginx is also a reverse-proxy, we are going to disable Nginx.

Enabling HTTPS

Follow these steps to enable HTTPS for your self-hosted Sentry:

  1. Install self-hosted Sentry according to instructions

  2. Create a new folder called traefik in your home directory

  3. Add a docker-compose.yml with the following content

version: "3.3"

services:

  traefik:
    image: "traefik:v2.9"
    container_name: "traefik"
    network_mode: "host"
    restart: "unless-stopped"
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=your-email@example.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
  1. Edit the docker-compose.yml of the self-hosted Sentry and add the following labels to the web and relay container, also comment out the nginx container:
web:
  <<: *sentry_defaults
  ...
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.web.rule=Host(`sentry.example.com`)"
    - "traefik.http.routers.web.entrypoints=websecure"
    - "traefik.http.routers.web.tls.certresolver=myresolver"
...
relay:
  <<: *restart_policy
  image: "$RELAY_IMAGE"`
  ...
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.relay.rule=Host(`sentry.example.com`) && PathPrefix(`/api/store/`, `/api/{id:[1-9]\\d*/}`)"
    - "traefik.http.routers.relay.entrypoints=websecure"
    - "traefik.http.routers.relay.tls.certresolver=myresolver"
...
# nginx:
#   <<: *restart_policy
#    ports:
#      - "$SENTRY_BIND:80/tcp"
#    image: "nginx:1.22.0-alpine"
#    volumes:
#      - type: bind
#        read_only: true
#        source: ./nginx
#        target: /etc/nginx
#      - sentry-nginx-cache:/var/cache/nginx
#    depends_on:
#      - web
#      - relay

  1. Update sentry/sentry.yml
    Set system.url-prefix to your new public url of your instance (https://sentry.example.com)

  2. Edit sentry/sentry.config.py, enable the SSL/TLS settings

  3. Now restart Sentry:
    $ docker compose down && docker compose up -d

  4. Start Traefik:
    $ docker compose up -d