Description
When users host Relay on-premises they want to restrict ingestion only through that local self-hosted Relay:
- Add option to Sentry to restrict ingestion bypassing local Relay
- The path of ingested should always be
<SDKs>-><self-hosted Relay>-><ingest*.sentry.io>-><Sentry> - Event ingestion should not be allowed directly from
<SDKs>to<ingest*.sentry.io>bypassing<self-hosted Relay>if the option is enabled
In Relay we will need to make sure the received envelope is coming from a trusted Relay. Currently envelope requests are not signed with Relay's private key, this means for now we can at most use the sent relay id. This is enough to cover all cases of accidentally accepting envelopes from untrusted sources and also relatively secure as long as the relay id is not leaked.
Additionally we can look and confer with our security team about stronger options.
A possible option is to not sign the entire sent request, but instead we can sign request metadata, like the URL and headers, including a date time header (possibly also the body's hash). Relay on the receiving side can then verify the signature and make sure the included date time is still valid.
We can draw inspiration from other service providers here.
The 'security' level and settings should be properly documented, in docs/and or the UI where the user can enable this feature.
Things to consider:
- The UI and explaining the feature
- Security considerations, if there are any
- Users must understand (e.g. stats page) when there is data dropped due to being sent from an untrusted Relay