External authentication no longer works

[107142]

Current Behavior

After upgrading to current Docker container (2.10.3 > 2.10.4) REMOTE_AUTH no longer works.
Looking at the NGINX Unit docs, it seems the Unit does not support handling REMOTE_USER headers.

Expected Behavior

REMOTE_USER header gets passed to the back-end.

Debug Information

docker-compose version:

docker-py version: 4.4.1
CPython version: 3.7.3
OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019

docker version:

Client: Docker Engine - Community
 Version:           20.10.3
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        48d30b5
 Built:             Fri Jan 29 14:33:25 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.3
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       46229ca
  Built:            Fri Jan 29 14:31:38 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.3
  GitCommit:        269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc:
  Version:          1.0.0-rc92
  GitCommit:        ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

The output of git rev-parse HEAD: XXXXX
Not using git.

The command you used to start the project:
docker-compose -f docker-compose.new.yml up --detach --build

The output of docker inspect netboxcommunity/netbox:latest --format "{{json .Config.Labels}}":

{
  "BUILD_REASON": "netbox-docker",
  "NETBOX_GIT_BRANCH": "HEAD",
  "NETBOX_GIT_REF": "856d2e317605011e16a17bd87062721737ce3474",
  "NETBOX_GIT_URL": "https://github.com/netbox-community/netbox.git",
  "ORIGINAL_TAG": "docker.io/netboxcommunity/netbox:v2.10.4",
  "org.label-schema.build-date": "2021-02-10T12:16+00:00",
  "org.label-schema.description": "A container based distribution of NetBox, the free and open IPAM and DCIM solution.",
  "org.label-schema.name": "NetBox Docker",
  "org.label-schema.schema-version": "1.0",
  "org.label-schema.url": "https://github.com/netbox-community/netbox-docker",
  "org.label-schema.usage": "https://github.com/netbox-community/netbox-docker/wiki",
  "org.label-schema.vcs-ref": "c80fb19507679938528817ab8a9b03514bd1e8be",
  "org.label-schema.vcs-url": "https://github.com/netbox-community/netbox-docker.git",
  "org.label-schema.vendor": "The netbox-docker contributors.",
  "org.label-schema.version": "1.0.2",
  "org.opencontainers.image.authors": "The netbox-docker contributors.",
  "org.opencontainers.image.created": "2021-02-10T12:16+00:00",
  "org.opencontainers.image.description": "A container based distribution of NetBox, the free and open IPAM and DCIM solution.",
  "org.opencontainers.image.documentation": "https://github.com/netbox-community/netbox-docker/wiki",
  "org.opencontainers.image.licenses": "Apache-2.0",
  "org.opencontainers.image.revision": "c80fb19507679938528817ab8a9b03514bd1e8be",
  "org.opencontainers.image.source": "https://github.com/netbox-community/netbox-docker.git",
  "org.opencontainers.image.title": "NetBox Docker",
  "org.opencontainers.image.url": "https://github.com/netbox-community/netbox-docker",
  "org.opencontainers.image.vendor": "The netbox-docker contributors.",
  "org.opencontainers.image.version": "1.0.2"
}

The output of docker-compose logs netbox:

Feb 17 15:44:35 netbox netbox/netbox[18648]: 2021/02/17 14:44:35 [notice] 1#1 process 20 exited with code 0
Feb 17 15:44:35 netbox netbox/netbox[18648]: 🧬 loaded config '/etc/netbox/config/configuration.py'
Feb 17 15:44:35 netbox netbox/netbox[18648]: 🧬 loaded config '/etc/netbox/config/configuration.py'
Feb 17 15:44:35 netbox netbox/netbox[18648]: 🧬 loaded config '/etc/netbox/config/extra.py'
Feb 17 15:44:35 netbox netbox/netbox[18648]: 2021/02/17 14:44:35 [notice] 1#1 process 21 exited with code 0
Feb 17 15:44:35 netbox netbox/netbox-worker[18648]: 🧬 loaded config '/etc/netbox/config/configuration.py'
Feb 17 15:44:35 netbox netbox/netbox-worker[18648]: 🧬 loaded config '/etc/netbox/config/configuration.py'
Feb 17 15:44:35 netbox netbox/netbox-worker[18648]: 🧬 loaded config '/etc/netbox/config/extra.py'
Feb 17 15:44:35 netbox netbox/netbox[18648]: 2021/02/17 14:44:35 [notice] 1#1 process 432 exited with code 0
Feb 17 15:45:26 netbox netbox/netbox[18648]: 🧬 loaded config '/etc/netbox/config/configuration.py'
Feb 17 15:45:26 netbox netbox/netbox[18648]: 🧬 loaded config '/etc/netbox/config/configuration.py'
Feb 17 15:45:26 netbox netbox/netbox[18648]: 🧬 loaded config '/etc/netbox/config/extra.py'
Feb 17 15:45:26 netbox netbox/netbox[18648]: Operations to perform:
Feb 17 15:45:26 netbox netbox/netbox[18648]:   Apply all migrations: admin, auth, circuits, contenttypes, dcim, extras, ipam, secrets, sessions, taggit, tenancy, users, virtualization
Feb 17 15:45:26 netbox netbox/netbox[18648]: Running migrations:
Feb 17 15:45:26 netbox netbox/netbox[18648]:   No migrations to apply.
Feb 17 15:45:26 netbox netbox/netbox[18648]: ↩️ Skip creating the superuser
Feb 17 15:45:28 netbox netbox/netbox[18648]: 🧬 loaded config '/etc/netbox/config/configuration.py'
Feb 17 15:45:28 netbox netbox/netbox[18648]: 🧬 loaded config '/etc/netbox/config/configuration.py'
Feb 17 15:45:28 netbox netbox/netbox[18648]: 🧬 loaded config '/etc/netbox/config/extra.py'
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/000_users.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/010_groups.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/020_custom_fields.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/020_tags.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/030_regions.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/040_sites.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/050_manufacturers.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/060_device_types.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/070_rack_roles.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/075_rack_groups.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/080_racks.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/090_device_roles.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/100_platforms.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/110_tenant_groups.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/120_tenants.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/130_cluster_types.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/135_cluster_groups.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/135_clusters.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/140_clusters.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/140_devices.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/145_devices.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/150_rirs.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/160_aggregates.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/165_cluster_groups.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/175_route_targets.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/180_vrfs.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/190_prefix_vlan_roles.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/200_vlan_groups.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/210_vlans.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/220_prefixes.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/230_virtual_machines.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/240_virtualization_interfaces.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/250_dcim_interfaces.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/260_ip_addresses.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/270_primary_ips.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/280_custom_links.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/280_providers.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/290_circuit_types.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/290_webhooks.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/300_circuits.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/310_secret_roles.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/320_services.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/330_power_panels.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ▶️  Running the startup script /opt/netbox/startup_scripts/340_power_feeds.py
Feb 17 15:45:28 netbox netbox/netbox[18648]: ✅ Initialisation is done.
Feb 17 15:45:28 netbox netbox/netbox[18648]: ⏳ Waiting for control socket to be created... (1/10)
Feb 17 15:45:28 netbox netbox/netbox[18648]: 2021/02/17 14:45:28 [warn] 1#1 Unit is running unprivileged, then it cannot use arbitrary user and group.
Feb 17 15:45:28 netbox netbox/netbox[18648]: 2021/02/17 14:45:28 [info] 1#1 unit started
Feb 17 15:45:28 netbox netbox/netbox[18648]: 2021/02/17 14:45:28 [info] 15#15 discovery started
Feb 17 15:45:28 netbox netbox/netbox[18648]: 2021/02/17 14:45:28 [notice] 15#15 module: python 3.8.7 "/usr/lib/unit/modules/python3.unit.so"
Feb 17 15:45:28 netbox netbox/netbox[18648]: 2021/02/17 14:45:28 [info] 1#1 controller started
Feb 17 15:45:28 netbox netbox/netbox[18648]: 2021/02/17 14:45:28 [info] 17#17 router started
Feb 17 15:45:28 netbox netbox/netbox[18648]: 2021/02/17 14:45:28 [notice] 1#1 process 15 exited with code 0
Feb 17 15:45:28 netbox netbox/netbox[18648]: 2021/02/17 14:45:28 [info] 17#17 OpenSSL 1.1.1i  8 Dec 2020, 1010109f
Feb 17 15:45:29 netbox netbox/netbox[18648]: ⚙️ Applying configuration from /etc/unit/nginx-unit.json
Feb 17 15:45:29 netbox netbox/netbox[18648]: 2021/02/17 14:45:29 [info] 21#21 "netbox" application started
Feb 17 15:45:31 netbox netbox/netbox[18648]: ✅ Unit configuration loaded successfully
Feb 17 15:45:31 netbox netbox/netbox[18648]: 2021/02/17 14:45:31 [notice] 1#1 process 13 exited with code 0

[cimnine]

To seek help, please use the Github Discussions, or create a proper bug report by completing our bug-report template.

[107142]

Updated the OP. I should note that the netbox itself works fine, what does not is the external authentication. Previous version works fine, and since the major change was replacement of the gunicorn with NGINX Unit I suspect it has something to do with that.

[tobiasge]

I couldn't reproduce this problem. Do you have some more information?
Could you share the REMOTE_* settings you have in your configuration?

[107142]

NetBox is configured strictly through environment variables. Most of the config is default:

      REMOTE_AUTH_ENABLED: "true"
      REMOTE_AUTH_AUTO_CREATE_USER: "true"

I'm using Apache reverse proxy with mod_auth_oidc authenticating users via REMOTE_USER header.

[alexfossa]

I have noticed the same. I have done a capture within the netbox container and can see the REMOTE_AUTH headers being passed, they are just not honored.

Let me know if you need any outputs / testing done.

[cimnine]

Can you try to set discard_unsafe_fields to false in nginx_unit.json, and then re-create the container?

The corresponding docs say:

Controls the parsing mode of header field names. If set to true, Unit only processes headers with names consisting of alphanumeric characters and hyphens (-); otherwise, all valid RFC 7230 header fields are processed.

The default value is true.

This would match your described behaviour.

The alternative would be to set REMOTE_AUTH_HEADER to e.g. X-Remote-Auth or Remote-Auth (and changing your authentication logic accordingly), i.e. avoiding the underscore (_).

[alexfossa]

I've tried setting this in the nginx_unit.json and rebuilding.

I have also changed my header to be REMOTE-AUTH-HEADER to no avail.

In the netbox ENV file I have set - REMOTE_AUTH_HEADER to be both REMOTE-AUTH-HEADER and X-REMOTE-AUTH-HEADER to test.

In the netbox docs it says:

_REMOTE_AUTH_HEADER
Default: 'HTTP_REMOTE_USER'

When remote user authentication is in use, this is the name of the HTTP header which informs NetBox of the currently authenticated user. For example, to use the request header X-Remote-User it needs to be set to HTTP_X_REMOTE_USER. (Requires REMOTE_AUTH_ENABLED.)_

[cimnine]

For example, to use the request header X-Remote-User it needs to be set to HTTP_X_REMOTE_USER

Ah, I did not know that. So that would mean, your authenticating proxy has to send a Remote-User header if you set REMOTE_AUTH_HEADER to HTTP_REMOTE_USER. I believe you have checked that it doesn't actually send REMOTE_USER instead, right?

Since you said you've captured in the container: Can you share such a request with us?

[107142]

Can you try to set discard_unsafe_fields to false in nginx_unit.json, and then re-create the container?

Can confirm this works. Identical config as before.
Inside the container I just disabled discard_unsafe_fields via Unit's control socket (no need for container restart/re-create):
curl -X PUT -d '{ "http": { "discard_unsafe_fields": false } }' --unix-socket /opt/unit/unit.sock 'http://localhost/config/settings/'

[cimnine]

@tobiasge Shall we add discard_unsafe_fields: false to the default configuration? Wdyt?

[tobiasge]

@tobiasge Shall we add discard_unsafe_fields: false to the default configuration? Wdyt?

I think this was introduced to prevent the overriding of headers. When we set this to true the headers X-Remote-User and X_Remote_User will end up in the same field in Netbox. I would not do that.
We could describe this in the Wiki with a Link to the Nginx Unit documentation.

[107142]

Would you consider using a toggle for this based on ENVAR value?
Something like this in launch-netbox.sh:

if [ "$NGINX_DISCARD_UNSAFE_FIELDS" == "false" ]; then
  curl -X PUT -d '{ "http": { "discard_unsafe_fields": false } }' --unix-socket /opt/unit/unit.sock 'http://localhost/config/settings/'
fi

or in docker-entrypoint.sh:

if [ "$NGINX_DISCARD_UNSAFE_FIELDS" == "false" ]; then
  sed -i 's/\/dev\/stdout\"/&,\n\n  \"settings\": {\n    \"http\": {\n      \"discard_unsafe_fields\": false\n    }\n  }/' /etc/unit/nginx-unit.json
fi

There are not that many ways for a user to properly change this. Overriding the Nginx config file will block any upstream changes, the same goes for overriding the CMD directive. And since Docker will not run arbitrary commands after CMD (despite requests), the only way that is currently reasonable is to (ab)use the HEALTHCHECK directive.

[mumblez]

Hi Guys,

I'm having trouble getting this to work with google cloud iap which sets the user email as header : x-goog-authenticated-user-email

For netbox envs I've set:

REMOTE_AUTH_ENABLED=true
REMOTE_AUTH_AUTO_CREATE_USER=true
REMOTE_AUTH_HEADER=x-goog-authenticated-user-email

And ran after netbox start:

docker-compose exec netbox curl -X PUT -d '{ "http": { "discard_unsafe_fields": false } }' --unix-socket /opt/unit/unit.sock 'http://localhost/config/settings/'

also tried with:

REMOTE_AUTH_HEADER=HTTP_X_GOOG_AUTHENTICATED_USER_EMAIL

but no luck

Any idea what else I'm missing?

[mumblez]

nvm, working with:

REMOTE_AUTH_ENABLED=True
REMOTE_AUTH_AUTO_CREATE_USER=True
REMOTE_AUTH_HEADER=HTTP_X_GOOG_AUTHENTICATED_USER_EMAIL

(Had to capitalise the true)