Friday, 16 June, 2017 UTC


Summary

As part of continuing projects to increase the reliability of sentry.io, the IP addresses associated with the service will be changing soon. These changes may require customer-side updates to firewall rules to continue uninterrupted service.
Specifically, firewall rules that restrict traffic based on IP addresses will have to be changed for the following circumstances:
  • Firewalls between an application monitored by Sentry and the Sentry service (sentry.io)
  • Firewalls between Sentry’s service and:
    • web servers or CDNs that serve JavaScript source and/or source map files
    • servers configured to receive webhook HTTP requests
If neither of these apply, no changes are needed. We hope you continue to use and enjoy Sentry!
We plan to migrate all traffic to the addresses below, starting on June 21, 2017.
Inbound Address
  • 35.188.42.15
When a Sentry client SDK transmits errors to sentry.io, DNS will return the above IP address alongside the existing service addresses. If you have previously configured network rules between your application servers and the Internet to limit outbound requests, those rules will need to be updated to add this new address.
Outbound Addresses
  • 35.184.238.160
  • 104.155.159.182
  • 104.155.149.19
  • 130.211.230.102
When configured by customers, sentry.io also sends web requests to its customers’ servers. The most frequent requests Sentry makes are to fetch JavaScript source files and source maps, but we also connect using webhooks and other integrations. If you have configured network rules that only allow inbound requests from specific addresses, you will need to update those rules to include the additional addresses.
Alternative Methods of Authentication
In order to alleviate some of the pains caused with updating these addresses, Sentry provides the ability to append a token to our outbound request headers. You may configure this token by going to your Project Settings, and scrolling down to “Security Token” where you’ll find the following form:
By default, all outbound requests are appended with the X-Sentry-Token header using the security token as the value. This token can be verified by a webserver or a proxy, denying all traffic that does not match. Here’s an example for using nginx to deny unauthorized requests:
 map $http_x_sentry_token $from_sentry { f48e8f0eb1c911e493090025902d9efc 1; default 0; } location / { if ($from_sentry = '0') { return 403; } } 
Note that both the header name and token value can be configured to suit your preferences.
Moving forward, we strongly encourage your organization to use this authentication method instead of IP whitelisting.