ref: sound SENTRY_DISALLOWED_IPS on the configuration file

[aldy505]

To not mislead people and to prevent time spent scrolling on GitHub issues just to fix why requests to private IP addresses are not working.

One example: #3957

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.49%. Comparing base (3af221e) to head (966dc3a).
⚠️ Report is 1 commits behind head on master.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3981   +/-   ##
=======================================
  Coverage   99.49%   99.49%           
=======================================
  Files           3        3           
  Lines         197      197           
=======================================
  Hits          196      196           
  Misses          1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[aminvakil]

Is this list maintained on sentry repository and once you remove an IP from here you can send a request to that removed IP?

SENTRY_DISALLOWED_IPS is a little misleading name IMHO.

[aldy505]

Is this list maintained on sentry repository and once you remove an IP from here you can send a request to that removed IP?

Yes.

SENTRY_DISALLOWED_IPS is a little misleading name IMHO.

cc @oioki

[aminvakil]

Maybe it's better for self-hosted to maintain a SENTRY_OUTGOING_ALLOWED_IPS list and remove the items from getsentry/sentry list?

Not that IANA is going to change this list :) It has better readability for users to maintain allowed IPs.

[aldy505]

That makes sense.

[aldy505]

Just realized, I don't think it's possible since it's a tuple and we're gonna have a lot of utils function to figure out which IP address belongs to which IP subnet...

[hubertdeng123]

Is this required? I believe things in the server.py file in sentry should be defaults that are applied to all deployments of sentry unless they are overridden.

https://github.com/getsentry/sentry/blob/e2f36e278596877046ef60e85b83e88434f9abed/src/sentry/conf/server.py#L114

[hubertdeng123]

Looks like in the issue you linked, the user needed to provide an override?

[aldy505]

Looks like in the issue you linked, the user needed to provide an override?

Yep, therefore it requires a bit more visibility. One Google SSO plugin made by Siemens is also broken due to not providing this info.

[hubertdeng123]

Having this here forces us to maintain two sources of truth though which is more painful when SENTRY_DISALLOWED_IPS changes. IMO it is better to include this here but commented out for visibility purposes if that is what we care about