REMOTE_AUTH_HEADER for RemoteUserBackend documented but not working

[chy-causer]

Hi there,

I'm following the instructions on authentication, specifically to get a username working via a header coming in on X-Remote-User. This is what I have in my configuration

REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_X_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True

However, I am still anonymous and I have to put in my password into the login page to log in. I'm looking through the source code of RemoteUserBackend and cannot see any mention of REMOTE_AUTH_HEADER. Similarly the instructions to the parent class give a different method of changing the variable name:

from django.contrib.auth.middleware import RemoteUserMiddleware

class CustomHeaderMiddleware(RemoteUserMiddleware):
    header = 'HTTP_AUTHUSER'

I've taken a look at the source for this middleware and I cannot see any mention of REMOTE_AUTH_HEADER either.

Is there something I'm doing wrong here? Apache2 which is doing the proxying has my username in the logs, and other applications are using the django.contrib.auth.middleware.RemoteUserMiddleware, by subclassing seemingly without issue..

Any help appreciated.

[mtinberg]

You may want to use tcpdump to watch the http traffic between the Apache server and the WSGI worker to make sure that the header is being included in the proxied request and you've configured Netbox to look for the right header. eg if you are using ProxyPass / ProxyPassReverse in Apache you may need to use RequestHeader set X-REMOTE_USER "%{REMOTE_USER}s" RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s" because those headers don't get forwarded by default IIRC — Mark Tinberg ***@***.***> Division of Information Technology-Network Services University of Wisconsin-Madison

…

________________________________ From: Christopher Causer ***@***.***> Sent: Thursday, May 12, 2022 10:43 AM To: netbox-community/netbox ***@***.***> Cc: Subscribed ***@***.***> Subject: [netbox-community/netbox] REMOTE_AUTH_HEADER for RemoteUserBackend documented but not working (Discussion #9352) Hi there, I'm following the instructions on authentication<https://docs.netbox.dev/en/stable/administration/authentication/overview/>, specifically to get a username working via a header coming in on X-Remote-User. This is what I have in my configuration REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend' REMOTE_AUTH_HEADER = 'HTTP_X_REMOTE_USER' REMOTE_AUTH_AUTO_CREATE_USER = True However, I am still anonymous and I have to put in my password into the login page to log in. I'm looking through the source code of RemoteUserBackend<https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/authentication.py> and cannot see any mention of REMOTE_AUTH_HEADER. Similarly the instructions to the parent class give a different method<https://docs.djangoproject.com/en/4.0/howto/auth-remote-user/> of changing the variable name: from django.contrib.auth.middleware import RemoteUserMiddleware class CustomHeaderMiddleware(RemoteUserMiddleware): header = 'HTTP_AUTHUSER' I've taken a look at the source for this middleware and I cannot see any mention of REMOTE_AUTH_HEADER either. Is there something I'm doing wrong here? Apache2 which is doing the proxying has my username in the logs, and other applications are using the django.contrib.auth.middleware.RemoteUserMiddleware, by subclassing seemingly without issue.. Any help appreciated. — Reply to this email directly, view it on GitHub<#9352>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAS7UMYTUSC5YMBPVFXTTTTVJURIRANCNFSM5VYWBCAQ>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[candlerb]

Just stating the obvious, did you also set REMOTE_AUTH_ENABLED = True ?

As Mark says, you can use tcpdump to see what's being passed between the reverse proxy and Netbox:

tcpdump -i lo -nn -s0 -A tcp port 8001

If you don't see X-Remote-User: xxx in there, then you know the problem is with Apache. If you do, then you know it's with your Netbox configuration.

[chy-causer]

That's great, thanks! The REMOTE_AUTH_ENABLED = True did the trick.

I guess there are two follow-ons from that:

1. Is there a case where the following scenario makes sense? Could the first attribute imply True in the second in the default case?

    REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend';
    REMOTE_AUTH_ENABLED=False # Or omitted as I had in my config
   

2. If it isn't possible to implicitly set REMOTE_AUTH_ENABLED=True, is there a reason this setting isn't mentioned in the docs at https://docs.netbox.dev/en/stable/administration/authentication/overview/

Again thanks for your suggestion. As I say it works perfectly now.

[candlerb]

1. Is there a case where the following scenario makes sense? Could the first attribute imply True in the second in the default case?

    REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend';
    REMOTE_AUTH_ENABLED=False # Or omitted as I had in my config
   

No, because REMOTE_AUTH_BACKEND already defaults to 'netbox.authentication.RemoteUserBackend'

I guess you are proposing to change this to REMOTE_AUTH_BACKEND = None to disable remote auth. That would also work, but it's just a different approach to achieve the same thing. I think it is fine and logical as it stands.

2. If it isn't possible to implicitly set REMOTE_AUTH_ENABLED=True, is there a reason this setting isn't mentioned in the docs at https://docs.netbox.dev/en/stable/administration/authentication/overview/

It probably should be mentioned there. However, note that it is already shown in configuration_example.py, where it's obvious it has to be changed from False to True.