HTTPS subpath with letsencrypt on existing server

153 views
Skip to first unread message

Joao Ferreira

unread,
Dec 9, 2021, 4:19:35 PM12/9/21
to NetBox
today I have an https server with letsencrypt, with several subpaths, how would the configuration of netbox.conf for example.com/netbox for apache2?

Brian Candler

unread,
Dec 10, 2021, 3:17:06 AM12/10/21
to NetBox
You just need to set

BASE_PATH = 'netbox/'

in configuration.py, and then proxy this path:

Alias /netbox/static /opt/netbox/netbox/static

<Directory /opt/netbox/netbox/static>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
</Directory>

<Location /netbox/static>
    ProxyPass !
</Location>

ProxyPass /netbox http://127.0.0.1:8001/netbox
ProxyPassReverse /netbox http://127.0.0.1:8001/netbox

Joao Ferreira

unread,
Dec 10, 2021, 6:50:42 AM12/10/21
to NetBox
<VirtualHost *:443>
    ProxyPreserveHost On

    # CHANGE THIS TO YOUR SERVER'S NAME
    ServerName myserver.exemple.com


    Alias /netbox/static /opt/netbox/netbox/static

    <Directory /opt/netbox/netbox/static>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    <Location /netbox/static>
        ProxyPass !
    </Location>

    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

    ProxyPass /netbox http://127.0.0.1:8001/netbox
    ProxyPassReverse /netbox http://127.0.0.1:8001/netbox
</VirtualHost>





# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
# BASE_PATH = 'netbox/'
BASE_PATH = 'netbox/'





Not Found

The requested URL was not found on this server.

Apache/2.4.38 (Debian) Server at  myserver.exemple.com   Port 443

Brian Candler

unread,
Dec 10, 2021, 7:31:53 AM12/10/21
to NetBox
Did you change configuration.py to set BASE_PATH? Did you restart the netbox service after doing so?  Did you reload apache after changing its config?
If all that looks OK, then run tcpdump on the server to look at the proxied traffic:

tcpdump -i lo -nn -s0 -A tcp port 8001

Generate a request to https://myserver.exemple.com/netbox/ - does tcpdump show any traffic?
If no - the problem is with Apache config
If yes - the problem is with Netbox config

Clearly the Apache config you've shown is incomplete (it doesn't include any of the SSLEngine variables), so at this point you'll need to debug your configuration locally.

I have instances of Netbox v2.11.7 using BASE_PATH in this way behind Apache, and it works fine for me.

Brian Candler

unread,
Dec 10, 2021, 8:35:39 AM12/10/21
to NetBox
> I'm uploading a video that shows you exactly what's going on.

> I run the tcpdum as you indicated and got an answer.

> I went through the Netbox documentation (installation) to see if I missed something, but not

A 20MB video is not a great thing to provide.  A simple text copy-paste from the console would have been better; or at least put it on a hosting service and paste the URL.  As a result, nobody else on this group can see it.

For reference, the video shows:

1. a working Netbox installation, serving pages like https://192.168.1.131/ipam/prefixes/1/

A window with tcpdump shows the http requests being forwarded to the Netbox process successfully.

2. after some navigation, a completely different error ("'str' object has no attribute 'available_columns'") at /ipam/prefixes/1/prefixes/ which has nothing to do with the problem you raised.

It seems to be the same problem raised in a different thread but from a different person or E-mail address.  That problem is because you're running Netbox 3.0.0 - you should upgrade to 3.0.12

3. it shows contents of /etc/apache2/sites-available/netbox.conf with the /netbox prefix.  But it is bound to servername "mon.example.com", whereas you're accessing it from the web browser via using hostname "192.168.1.131" - so most likely this virtualhost is being ignored.  I think you have another SSL site configured which is being used instead.

What it *doesn't* show is the error you reported before:

"Not Found

The requested URL was not found on this server.

Apache/2.4.38 (Debian) Server at  myserver.exemple.com   Port 443"

I suspect there are multiple problems here, and really you'll need to pick through them yourself - or get a local system administrator to help you.  All I can guess at this point is:

1. You almost certainly have not set BASE_PATH="netbox/" in configuration.py (or you forgot to restart Netbox).  If you had done this, then you would be forced to access Netbox on https://192.168.1.131/netbox/ - non-prefixed paths like /ipam/ would stop working entirely.

2. I believe you have some other configuration in Apache which is proxying to port 8001 - or you forgot to restart Apache after changing the config - or else you're looking at a completely different Apache server.  You'll need to find that config, and then modify it to use the /netbox path (so that applications which have a different prefix are working).

Maybe there are other things going on as well, but those two pointers should get you started.  As I say, if you need further help, a local system administrator will be in a much better position to help you, as they'll be able to see all the configs for Apache and help you work out what's wrong.  Good luck!

Joao Ferreira

unread,
Dec 10, 2021, 8:55:38 PM12/10/21
to NetBox
the answer is no!
configuration.py , ok
restarted daemon, ok

apache updated;

<VirtualHost *:443>
    ProxyPreserveHost On

    # CHANGE THIS TO YOUR SERVER'S NAME
    ServerName myserver.exemple.com

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/myserver.exemple.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/myserver.exemple.com/privkey.pem

        
    Alias /netbox/static /opt/netbox/netbox/static

    <Directory /opt/netbox/netbox/static>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    <Location /netbox/static>
        ProxyPass !
    </Location>

    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
    ProxyPass /netbox http://127.0.0.1:8001
    ProxyPassReverse /netbox http://127.0.0.1:8001
</VirtualHost>


lsof output;
gunicorn   4893      netbox    5u  IPv4 210140492    0t0  TCP localhost:8001 (LISTEN)
gunicorn   4895      netbox    5u  IPv4 210140492    0t0  TCP localhost:8001 (LISTEN)
gunicorn   4896      netbox    5u  IPv4 210140492    0t0  TCP localhost:8001 (LISTEN)
gunicorn   4897      netbox    5u  IPv4 210140492    0t0  TCP localhost:8001 (LISTEN)
gunicorn   4898      netbox    5u  IPv4 210140492    0t0  TCP localhost:8001 (LISTEN)
gunicorn   4899      netbox    5u  IPv4 210140492    0t0  TCP localhost:8001 (LISTEN)


Brian Candler

unread,
Dec 11, 2021, 3:54:16 AM12/11/21
to NetBox
To prove whether the problem is with BASE_PATH, show what the following commands print when run on your system:

curl -sS http://localhost:8001/ | grep /title
curl -sS http://localhost:8001/ipam/vlans/ | grep /title
curl -sS http://localhost:8001/netbox/ipam/vlans/ | grep /title

On my system, here's what I see with BASE_PATH='':

root@netbox3:~# curl -sS http://localhost:8001/ | grep /title
    <title>Home | NetBox</title>
root@netbox3:~# curl -sS http://localhost:8001/ipam/vlans/ | grep /title
    <title>VLANs | NetBox</title>
root@netbox3:~# curl -sS http://localhost:8001/netbox/ipam/vlans/ | grep /title
    <title>Page Not Found | NetBox</title>

Here's what I see with BASE_PATH='netbox/':

root@netbox3:~# curl -sS http://localhost:8001/ | grep /title
    <title>Page Not Found | NetBox</title>
root@netbox3:~# curl -sS http://localhost:8001/ipam/vlans/ | grep /title
    <title>Page Not Found | NetBox</title>
root@netbox3:~# curl -sS http://localhost:8001/netbox/ipam/vlans/ | grep /title
    <title>VLANs | NetBox</title>

What do you get?

Note also that configuration.py has these three lines:

# Base URL path if accessing NetBox within a directory. For example, if installed at https://example.com/netbox/, set:
# BASE_PATH = 'netbox/'
BASE_PATH = ''

If you uncomment the second line, you need to comment out the third line (otherwise the third line will reset it back again)

Joao Ferreira

unread,
Dec 13, 2021, 7:25:02 AM12/13/21
to NetBox
2021-12-13_091526.jpg2021-12-13_091254.jpg2021-12-13_091401.jpg

Tested With;

<VirtualHost *:443>
    ProxyPreserveHost On

    # CHANGE THIS TO YOUR SERVER'S NAME
    ServerName myserver.exemple.com

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/myserver.exemple.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/myserver.exemple.com/privkey.pem

        
    Alias /netbox/static /opt/netbox/netbox/static

    <Directory /opt/netbox/netbox/static>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    <Location /netbox/static>
        ProxyPass !
    </Location>

    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
    ProxyPass /netbox http://127.0.0.1:8001
    ProxyPassReverse /netbox http://127.0.0.1:8001
</VirtualHost>

And;

<VirtualHost *:443>
    ProxyPreserveHost On

    # CHANGE THIS TO YOUR SERVER'S NAME
    ServerName myserver.exemple.com

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/myserver.exemple.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/myserver.exemple.com/privkey.pem

        
    Alias /netbox/static /opt/netbox/netbox/static

    <Directory /opt/netbox/netbox/static>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    <Location /netbox/static>
        ProxyPass !
    </Location>

    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
    ProxyPass /netbox http://127.0.0.1:8001/netbox
    ProxyPassReverse /netbox http://127.0.0.1:8001/netbox
</VirtualHost>

Brian Candler

unread,
Dec 13, 2021, 12:45:38 PM12/13/21
to NetBox
Those screenshots, showing that it only works if /netbox/ is in the path, look fine. BASE_PATH is working.

Now if you access via your Apache frontend, you should find that you have to put /netbox/ there as well.

>     ProxyPass /netbox http://127.0.0.1:8001
>     ProxyPassReverse /netbox http://127.0.0.1:8001

No, that strips the /netbox/ prefix off.  Don't do that.

>    ProxyPass /netbox http://127.0.0.1:8001/netbox
>    ProxyPassReverse /netbox http://127.0.0.1:8001/netbox

That's correct. It should mean that https://myserver.exemple.com/netbox/ works.

If it doesn't, then you have something else in your config that's proxying to port 8001 and taking precedence over this rule.

grep -R 8001 /etc/apache2
or
grep -R 8001 /etc/httpd
(depending on where its config files are stored)

Reply all
Reply to author
Forward
0 new messages