Replies: 3 comments 7 replies
-
|
I'm doing SSO with Apache for Netbox and it's working well, I'll include a version of my config template, but I think the most likely issue is you may be failing to unset the RequestHeader for the /api URL when disabling SSO for that path, so it's being sent empty which is causing your no-auth situation.
```apache
Alias /static /opt/netbox/current/netbox/static
ProxyPass "/" "http://{{ netbox_socket }}/"
# ProxyPassReverse rewrites Location, Content-Location and URI headers in responses
ProxyPassReverse "/" "http://{{ netbox_socket }}/"
RequestHeader set X-Remote-User "%{REMOTE_USER}s"
RequestHeader set X-Remote-Groups "%{isMemberOf}e"
# Hint to Django app that redirects should use same scheme (https) as original request
RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
<Location />
AuthType shibboleth
ShibRequestSetting applicationId https://netbox.{{ ansible_domain }}/shibboleth
ShibRequireSession On
Require shib-attr isMemberOf netbox_eligible_users
</Location>
<LocationMatch "/(api|graphql|metrics)">
Satisfy Any
Order Deny,Allow
{% for subnet in acl_netmgmt_api_ipv46 %}
Allow from {{ subnet }}
{% endfor %}
Deny from All
AuthType None
ShibDisable On
RequestHeader unset X-Remote-User
RequestHeader unset X-Remote-Groups
Require all granted
</LocationMatch>
<Location /static>
Satisfy Any
Allow from all
AuthType None
ShibDisable On
ProxyPass !
RequestHeader unset X-Remote-User
RequestHeader unset X-Remote-Groups
Require all granted
</Location>
<LocationMatch "(?<CMSCGI>^/media/)">
AuthType shibboleth
Require shib-attr isMemberOf netbox_admins
# This works because LocationMatch passes the matched string to ProxyPassMatch
ProxyPassMatch "http://fileserver.{{ ansible_domain }}/Netbox-Shared"
ProxyPassReverse "http://fileserver.{{ ansible_domain }}/Netbox-Shared"
# Special bridge header to pass authentication from NetWeb to NetCMS
RequestHeader set X-Remote-User "%{REMOTE_USER}s"
RequestHeader set X-Remote-Groups "%{isMemberOf}e"
</LocationMatch>
<Directory /opt/netbox/current/netbox/static>
Options Indexes FollowSymLinks MultiViews
</Directory>
```
|
Beta Was this translation helpful? Give feedback.
-
|
Maybe next time I'll find out if the email gateway accepts markdown in html email and would format the post correctly |
Beta Was this translation helpful? Give feedback.
-
|
There's something weird going on in your post: I see literally It Works For Me™ as you can see here. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah I see that, ti works in preview mode as well (with apache syntax highlighting) but no amount of editing changes the behavior of what is displayed Alias /static /opt/netbox/current/netbox/static
ProxyPass "/" "http://{{ netbox_socket }}/"
# ProxyPassReverse rewrites Location, Content-Location and URI headers in responses
ProxyPassReverse "/" "http://{{ netbox_socket }}/"
RequestHeader set X-Remote-User "%{REMOTE_USER}s"
RequestHeader set X-Remote-Groups "%{isMemberOf}e"
# Hint to Django app that redirects should use same scheme (https) as original request
RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
<Location />
AuthType shibboleth
ShibRequestSetting applicationId https://netbox.{{ ansible_domain }}/shibboleth
ShibRequireSession On
Require shib-attr isMemberOf netbox_eligible_users
</Location>
<LocationMatch "/(api|graphql|metrics)">
Satisfy Any
Order Deny,Allow
{% for subnet in acl_netmgmt_api_ipv46 %}
Allow from {{ subnet }}
{% endfor %}
Deny from All
AuthType None
ShibDisable On
RequestHeader unset X-Remote-User
RequestHeader unset X-Remote-Groups
Require all granted
</LocationMatch>
<Location /static>
Satisfy Any
Allow from all
AuthType None
ShibDisable On
ProxyPass !
RequestHeader unset X-Remote-User
RequestHeader unset X-Remote-Groups
Require all granted
</Location>
<LocationMatch "(?<CMSCGI>^/media/)">
AuthType shibboleth
Require shib-attr isMemberOf netbox_admins
# This works because LocationMatch passes the matched string to ProxyPassMatch
ProxyPassMatch "http://fileserver.{{ ansible_domain }}/Netbox-Shared"
ProxyPassReverse "http://fileserver.{{ ansible_domain }}/Netbox-Shared"
# Special bridge header to pass authentication from NetWeb to NetCMS
RequestHeader set X-Remote-User "%{REMOTE_USER}s"
RequestHeader set X-Remote-Groups "%{isMemberOf}e"
</LocationMatch>
<Directory /opt/netbox/current/netbox/static>
Options Indexes FollowSymLinks MultiViews
</Directory> |
Beta Was this translation helpful? Give feedback.
-
|
some state is being held from this post being from an HTML email and not Markdown such that it doesn't respect markdown, even when I delete and re-add the relevant text. I don't use the website directly to view or respond, I use email to aggregate notifications and response, and (unfortunately) have to default to HTML email as one of the applications we use doesn't work right with plaintext email responses. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for trying. Github is Microsoft now, so I guess it's to be expected :-) |
Beta Was this translation helpful? Give feedback.
-
My Apache 2.4 config using mod_auth_openidc is here, and the part relevant to your question is: Proxying to |
Beta Was this translation helpful? Give feedback.
-
|
Thanks to everybody for the help; this configuration was exactly what I
needed and worked perfectly. I had actually seen your post earlier when
I was working on getting the remote authentication going, but didn't
notice this particular detail at the time or come across it again when I
was searching specifically for this token issue.
…On 4/27/2023 12:39 AM, Brian Candler wrote:
While initially this seemed to work, we discovered that the web UI
appears to call the API from the client browser. As web server auth
is disabled for the API, and the client browser isn't going to send
an API token, the forms break with permission denied errors.
If I remove the /api/ URL exclusion and enable remote user auth, the
interactive client browser works. But then we can't use API tokens.
My Apache 2.4 config using mod_auth_openidc is here
<#9635 (comment)>, and the part relevant to your question is:
|<Location /> AuthType openid-connect Require claim roles:netbox:access
AuthzSendForbiddenOnFailure on </Location> <Location /api/> <RequireAny>
AuthType openid-connect Require claim roles:netbox:access # Allow access
to /api/ with token instead of OIDC Auth #
https://httpd.apache.org/docs/2.4/howto/access.html#env Require expr
"%{HTTP:Authorization} =~ /^Token /" </RequireAny>
AuthzSendForbiddenOnFailure on </Location> |
Proxying to |/api/| is allowed /either/ if you have a valid OpenIDC
login /or/ if you're passing an API token. In the latter case this will
allow requests with invalid API tokens, but Netbox itself will reject those.
—
Reply to this email directly, view it on GitHub
<#12359 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACJCUASFSA3DSMHPNO7N2TXDIPDPANCNFSM6AAAAAAXNEISGM>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I just set up a netbox instance, we are using the CAS SSO protocol to authenticate our users. I enabled CAS auth on the apache webserver config, and turned on remote user auth in netbox. I excluded the /api/ URL from webserver authentication so we could use api tokens.
While initially this seemed to work, we discovered that the web UI appears to call the API from the client browser. As web server auth is disabled for the API, and the client browser isn't going to send an API token, the forms break with permission denied errors.
If I remove the /api/ URL exclusion and enable remote user auth, the interactive client browser works. But then we can't use API tokens.
Am I missing something? The only thing I can think of is to mix IP address auth with web server auth and not require CAS auth for /api/ based on IP address of systems that need to use tokens. But that wouldn't allow a single source system to both run a web browser against netbox and also use the API non-interactively. I don't think the CAS auth module supports "lazy auth", where it would use an existing auth session if one is found but not ask for one otherwise.
Thanks for any thoughts...
Beta Was this translation helpful? Give feedback.
All reactions