starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

netbox-v3.2-beta1 - CSRF issues when netbox is behind an SSL termination proxy. #6103

New Issue
Closed
opened 2025-12-29 19:36:50 +01:00 by adam · 3 comments
adam commented 2025-12-29 19:36:50 +01:00
Owner
Copy Link

Originally created by @ThomasADavis on GitHub (Feb 16, 2022).

NetBox version

v3.2-beta1

Python version

3.9

Steps to Reproduce

When using a https -> SSL proxy (termination) w/http forward -> netbox http chain, the CSRF_TRUSTED_ORIGINS must be set.

The proxy x-forward has 'https' in the header, but netbox is seeing http, so the two don't match.

Expected Behavior

CSRF works properly.

Observed Behavior

CSRF gives a 403 error until the CSRF_TRUSTED_ORIGINS is set in configuration.py

Originally created by @ThomasADavis on GitHub (Feb 16, 2022). ### NetBox version v3.2-beta1 ### Python version 3.9 ### Steps to Reproduce When using a https -> SSL proxy (termination) w/http forward -> netbox http chain, the CSRF_TRUSTED_ORIGINS must be set. The proxy x-forward has 'https' in the header, but netbox is seeing http, so the two don't match. ### Expected Behavior CSRF works properly. ### Observed Behavior CSRF gives a 403 error until the CSRF_TRUSTED_ORIGINS is set in configuration.py
adam added the beta label 2025-12-29 19:36:50 +01:00
adam closed this issue 2025-12-29 19:36:50 +01:00
adam commented 2025-12-29 19:36:51 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Feb 16, 2022):

My understanding is that setting CSRF_TRUSTED_ORIGINS shouldn't be required unless you're making cross-origin requests. The beta demo instance, for example, doesn't have it defined, and CSRF protection works as expected.

@jeremystretch commented on GitHub (Feb 16, 2022): My understanding is that setting `CSRF_TRUSTED_ORIGINS` shouldn't be required unless you're making cross-origin requests. The beta demo instance, for example, doesn't have it defined, and CSRF protection works as expected.
adam commented 2025-12-29 19:36:51 +01:00
Author
Owner
Copy Link

@ThomasADavis commented on GitHub (Feb 16, 2022):

So what the issue is, we don't expose netbox as a SSL service internally.. we only expose it as http.

We do ssl termination at a proxy (for logging and cert management), and forward via http to netbox.

This is what is messing up the CSRF; the proxy sets the x-forwarded header as https, netbox is seeing the x-forwarded header, but it came in via http, and so CSRF settings cause it error out.

Setting the CSRF_TRUSTED_ORIGINS to 'https://$hostname' fixes the problem in this scenario.

@ThomasADavis commented on GitHub (Feb 16, 2022): So what the issue is, we don't expose netbox as a SSL service internally.. we only expose it as http. We do ssl termination at a proxy (for logging and cert management), and forward via http to netbox. This is what is messing up the CSRF; the proxy sets the x-forwarded header as https, netbox is seeing the x-forwarded header, but it came in via http, and so CSRF settings cause it error out. Setting the CSRF_TRUSTED_ORIGINS to 'https://$hostname' fixes the problem in this scenario.
adam commented 2025-12-29 19:36:51 +01:00
Author
Owner
Copy Link

@peteeckel commented on GitHub (Feb 20, 2022):

Unfortunately, I ran into the same issue while I was testing the NetBox DNS integration.

Origin checking failed - https://192.168.106.105 does not match any trusted origins.

In my test setup, I do not use an HTTPS termination proxy, just a very basic https config in Apache:

Listen 192.168.106.105:443

<VirtualHost *:443>

    ErrorLog /var/log/httpd/netbox_error_log
    CustomLog /var/log/httpd/netbox_access_log common

    ServerName netbox.dev.example.com

    SSLEngine on
    SSLCertificateFile /etc/pki/netbox/certs/netbox.crt.pem
    SSLCertificateKeyFile /etc/pki/netbox/private/netbox.key.pem
    SSLCertificateChainFile /etc/pki/tls/certs/hbr-dev-subca01.crt.pem

    RequestHeader set "X-Forwarded-Proto" expr="https"

    ProxyPreserveHost On
    ProxyPass / http://localhost:8001/
    ProxyPassReverse / http://localhost:8001/

    Alias /static /opt/netbox/netbox/static

    <Directory /opt/netbox/netbox/static>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
    </Directory>

    <Location /static>
        ProxyPass !
    </Location>

</VirtualHost>

Setting CSRF_TRUSTED_ORIGIN fixes it:

(netbox) [root@dns netbox]# grep CSRF /opt/netbox/netbox/netbox/configuration.py  
CSRF_TRUSTED_ORIGINS = ['https://192.168.106.105', 'https://netbox.dns.example.com']
@peteeckel commented on GitHub (Feb 20, 2022): Unfortunately, I ran into the same issue while I was testing the NetBox DNS integration. ``` Origin checking failed - https://192.168.106.105 does not match any trusted origins. ``` In my test setup, I do **not** use an HTTPS termination proxy, just a very basic https config in Apache: ``` Listen 192.168.106.105:443 <VirtualHost *:443> ErrorLog /var/log/httpd/netbox_error_log CustomLog /var/log/httpd/netbox_access_log common ServerName netbox.dev.example.com SSLEngine on SSLCertificateFile /etc/pki/netbox/certs/netbox.crt.pem SSLCertificateKeyFile /etc/pki/netbox/private/netbox.key.pem SSLCertificateChainFile /etc/pki/tls/certs/hbr-dev-subca01.crt.pem RequestHeader set "X-Forwarded-Proto" expr="https" ProxyPreserveHost On ProxyPass / http://localhost:8001/ ProxyPassReverse / http://localhost:8001/ Alias /static /opt/netbox/netbox/static <Directory /opt/netbox/netbox/static> Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted </Directory> <Location /static> ProxyPass ! </Location> </VirtualHost> ``` Setting CSRF_TRUSTED_ORIGIN fixes it: ``` (netbox) [root@dns netbox]# grep CSRF /opt/netbox/netbox/netbox/configuration.py CSRF_TRUSTED_ORIGINS = ['https://192.168.106.105', 'https://netbox.dns.example.com'] ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label beta
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#6103
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?