using netbox behind a reverse proxy that handles auth

[Dustin Cannon]

Netbox is really awesome and I'm currently testing it at the company I work for in hopes we can replace our current janked up inventory system with it. We have a reverse proxy that handles user authentication and passes http headers along to applications behind it. So, I'm wondering how I can hook into, override, or disable the built in django auth model. Ideally I'd like to have netbox look at the header it gets which contains the username and have netbox recognize that user is logged in. But I don't want them to have to type a password to be able to make changes via the web ui. I do however still want api token authentication to work, ideally. So, given the above, I guess my questions are:

Is this possible without major changes to netbox itself?

If I wanted to just disable authentication (for users and api tokens) altogether, how would I go about doing that?

If anyone can provide any insight or at least point me in the right direction I would be extremely grateful.

Thanks in advance!

- Dustin

p.s. I know LDAP auth is an option but I'd like to not go that route if possible.

[Douglas Heriot]

This is a feature I'm also very interested in. We need SAML integration, but need to decide whether to go for this proxy approach, or to integrate a Django SAML module.

These issues here have some discussion you'll be interested in:

External auth proxies: https://github.com/digitalocean/netbox/issues/2328

SAML: https://github.com/digitalocean/netbox/issues/1677

[Brian Candler]

And if you need to get it running today, see the resources linked from those tickets.

For proxy authentication: https://groups.google.com/forum/#!msg/netbox-discuss/BTB8q8CzmrA/2BcnbectAQAJ (and correction in the following post)

For SAML: https://github.com/explody/netbox/blob/basic_saml_support/README_SAML.md

[Dustin Cannon]

Thanks for the links. These were helpful. I was able to get this working after reading https://docs.djangoproject.com/en/2.1/howto/auth-remote-user/ carefully. I did have to subclass RemoteUserMiddleware and do header = 'HTTP_REMOTE_USER'. In my environment the proxy passes a header to nginx. In nginx I set the Remote-User header to that value. When it makes it into Django it is in the request.META at the key 'HTTP_REMOTE_USER'. Also, in my use case I want every user that logs in to have superuser privs so I also had to subclass RemoteUserBackend and override the configure_user(request, user) method to set user.is_superuser = True when it automatically creates a new user (https://docs.djangoproject.com/en/2.1/ref/contrib/auth/#django.contrib.auth.backends.RemoteUserBackend.configure_user) I'm pretty impressed with how easy it was to do this in Django without making invasive changes. Props to Django for not being shitty. So far so good but it still needs more testing and I'm not sure how this is going to play with API tokens or Netbox upgrades yet. I will keep you updated on this thread. If you need more detail I'm happy to provide it.

[Dustin Cannon]

Thanks Brian. I was able to get this working for my environment. See my reply to Douglas. Still need to test it more though.