Securing a web facing netbox server

[MattTwinkleToes]

Hi, I have just installed netbox on a web facing linux box so that my team, distributed all over the world, can all access it easily.

I'm a bit concerned because anyone can access the homepage and mess around with the search function. Even while not logged in.

I thought about adding an .htpassword file to apache but cant find the web root (it's not in /var/www/)

I cant be the first person to have encountered his issue, what do other people do to secure their web facing netbox servers?

[DanSheps]

Personally, having your netbox instance exposed is not idea. I would recommend securing it behind a VPN at the very least.

You need to define the .htaccess file and then define the .htpasswd file yourself. I suggest looking at the Apache docs regarding this. The HTPASSWD file does not need to be in the web root either.

[jeremystretch]

I'm a bit concerned because anyone can access the homepage and mess around with the search function. Even while not logged in.

This is configurable with LOGIN_REQUIRED.

[MattTwinkleToes]

Thank you Jeremy, this is exactly what I was looking for.

For other, I have firewalled it off but it's not always practical in my environment with multiple people all over the world using different IP's as they move around. It's also running in the cloud so i cant just build a vpn server for it and I dont have an ldap server.

[candlerb]

I use mod_auth_openidc on the Apache proxy. This requires people to authenticate with their Google G-Suite credentials before they can even reach Netbox.

<VirtualHost _default_:443>
        ServerAdmin [email protected]
        ServerName netbox.example.com

        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCertificateFile      /etc/dehydrated/certs/netbox.example.com/cert.pem
        SSLCertificateKeyFile   /etc/dehydrated/certs/netbox.example.com/privkey.pem
        SSLCertificateChainFile /etc/dehydrated/certs/netbox.example.com/chain.pem

        # Fix problem with Firefox: # https://github.com/zmartzone/mod_auth_openidc/issues/404
        ErrorDocument 401 " "

        OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
        OIDCClientID XXXX
        OIDCClientSecret XXXX

        OIDCAuthRequestParams hd=gsuitedomain.com
        OIDCRedirectURI /oauth2callback
        OIDCCryptoPassphrase XXXXsomeverylongrandomstringXXXX
        OIDCScope "openid email"
        OIDCSessionInactivityTimeout 43200

        # Keep in mind some of the OIDC Providers (OP) don't guarantee the uniqueness of the email claim
        OIDCRemoteUserClaim email
        RequestHeader unset REMOTE_USER
        RequestHeader set REMOTE_USER expr=%{REMOTE_USER}
        OIDCPassUserInfoAs json
        OIDCPassClaimsAs headers

        <Location />
                AuthType openid-connect
                Require claim hd:gsuitedomain.com
        </Location>

        # OPTIONAL: allow /api/ to bypass OIDC auth if Token is provided
        <Location /api/>
            <RequireAny>
                AuthType openid-connect
                Require claim hd:gsuitedomain.com
                Require expr "%{HTTP:Authorization} =~ /^Token /"
            </RequireAny>
        </Location>

        # Rest is standard Netbox config
        Alias /static /opt/netbox/netbox/static/
        <Directory /opt/netbox/netbox/static/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Require all granted
        </Directory>

        <Location /static>
                ProxyPass !
        </Location>

        ProxyPreserveHost On
        RequestHeader set X-Forwarded-Proto "https"
        ProxyPass / http://10.112.76.119:8001/
        ProxyPassReverse / http://10.112.76.119:8001/

</VirtualHost>

Netbox is configured for remote auth, so users don't have to login a second time. There are no default groups set, so access to Netbox data has to be explicitly granted by the administrator.

LOGIN_REQUIRED = True
...
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'netbox.authentication.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = []
REMOTE_AUTH_DEFAULT_PERMISSIONS = {}