CSRF error when trying to use pynetbox to post to API

[John Schubert]

Guessing I am missing something simple. I am getting a
"pynetbox.core.query.RequestError: The request failed with code 403
Forbidden: {'detail': 'CSRF Failed: Referer checking failed - no
Referer.'}" when trying to post to the api. Netbox 2.10.3 is running on
a centos 8 behind apache with gunicorn. Config has been reduced to as
much as the defaults as I can to try and figure out my issue.

I have a working production install and this is supposed to be our dev
instance. Diffing configs, and re-reading the installation instructions
and I still can't find what I am missing. Any points would be most
appreciated.

Thanks.

-John

[Brian Candler]

Can you show a tcpdump of the exchange between the client and proxy (if it's not https), and between proxy and netbox (e.g. localhost:8001)?

The API should not require a "Referer:" header AFAIK.

Is your dev instance definitely running inside the virtualenv, and not using global versions of python packages?

[John Schubert]

pcaps show the requests are exactly the same between prod and dev. I am doing this from the same test host to the different netbox servers to keep it simple. To me this implies I am missing a setting somewhere on the new server. [Allowed Hosts] is set to the new DNS name and IPs. I have tried with a "*" but no difference.

Also using the standard systemd startup script. To me looks like it is using the virtual env:

cat /etc/systemd/system/netbox.service
[Unit]
Description=NetBox WSGI Service
Documentation=https://netbox.readthedocs.io/en/stable/
After=network-online.target
Wants=network-online.target

[Service]
Type=simple

User=netbox
Group=netbox
PIDFile=/var/tmp/netbox.pid
WorkingDirectory=/opt/netbox

ExecStart=/opt/netbox/venv/bin/gunicorn --pid /var/tmp/netbox.pid --pythonpath /opt/netbox/netbox --config /opt/netbox/gunicorn.py netbox.wsgi

Restart=on-failure
RestartSec=30
PrivateTmp=true

[Install]
WantedBy=multi-user.target

--
You received this message because you are subscribed to the Google Groups "NetBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netbox-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/1bdff7fc-8077-41b9-b268-59de8a7ea55an%40googlegroups.com.

[Brian Candler]

I can only point you to this note on ALLOWED_HOSTS:

./docs/configuration/required-settings.md:The value of this option is also used to set `CSRF_TRUSTED_ORIGINS`, which restricts POST requests to the same set of hosts (more about this [here](https://docs.djangoproject.com/en/stable/ref/settings/#std:setting-CSRF_TRUSTED_ORIGINS)). Keep in mind that NetBox, by default, sets `USE_X_FORWARDED_HOST` to true, which means that if you're using a reverse proxy, it's the FQDN used to reach that reverse proxy which needs to be in this list (more about this [here](https://docs.djangoproject.com/en/stable/ref/settings/#allowed-hosts)).

Compare carefully the tcpdumps to see what X-Forwarded-Host: value is provided in both dev and prod, and do a direct diff of configuration.py and of the Apache configs.

[John Schubert]

Thanks Brian. I have just done that again. No difference other then ssl cert and host name I can find. I tried setting ALLOW_HOSTS to '*' (with restarting services) and that didn't make a difference.

We did do a db dump from prod into dev. Anyone know if there is some form of setting in the DB that would override the config files? Everything else works fine on the dev system.

Thanks

-John

To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/22f60e35-59c4-4d5d-8bcc-2c112e96325dn%40googlegroups.com.