remote auth header values wrong encoding #9170

New Issue

adam · 2025-12-29T20:46:30+01:00

adam commented

2025-12-29 20:46:30 +01:00

Originally created by @hendrikbl on GitHub (Jan 30, 2024).

Deployment Type

Self-hosted

NetBox Version

v3.7.0

Python Version

3.11

Steps to Reproduce

Setup netbox.authentication.RemoteUserBackend as remote auth backend
Configure REMOTE_AUTH_USER_FIRST_NAME
configure your webserver to populate the header with the remote users firstname
Login to netbox with a user with umlauts in the first name (e.g. Jörn)

Expected Behavior

The firstname should sync correctly as Jörn

Observed Behavior

The firstname is synced as JÃ¶rn.

This happens due to http headers beeing iso8859-1 encoded. Netbox treats them as utf8.

1b9e6bed55/netbox/netbox/middleware.py (L150)

I guess something like this would fix the problem but I haven't tested it:

first_name = request.META[settings.REMOTE_AUTH_USER_FIRST_NAME] 
user.first_name = bytes(first_name,'iso-8859-1').decode('utf-8')

This applies to all header values.

Originally created by @hendrikbl on GitHub (Jan 30, 2024). ### Deployment Type Self-hosted ### NetBox Version v3.7.0 ### Python Version 3.11 ### Steps to Reproduce 1. Setup `netbox.authentication.RemoteUserBackend` as remote auth backend 2. Configure `REMOTE_AUTH_USER_FIRST_NAME` 3. configure your webserver to populate the header with the remote users firstname 4. Login to netbox with a user with umlauts in the first name (e.g. Jörn) ### Expected Behavior The firstname should sync correctly as `Jörn` ### Observed Behavior The firstname is synced as `JÃ¶rn`. This happens due to http headers beeing `iso8859-1` encoded. Netbox treats them as `utf8`. https://github.com/netbox-community/netbox/blob/1b9e6bed55d4ee53f60bcd6540bce953ddbf4167/netbox/netbox/middleware.py#L150 I guess something like this would fix the problem but I haven't tested it: ```python first_name = request.META[settings.REMOTE_AUTH_USER_FIRST_NAME] user.first_name = bytes(first_name,'iso-8859-1').decode('utf-8') ``` This applies to all header values.

adam closed this issue

2025-12-29 20:46:30 +01:00

adam commented

2025-12-29 20:46:31 +01:00

@jeremystretch commented on GitHub (Jan 30, 2024):

configure your webserver to populate the header with the remote users firstname

Please share which web server you're using and its configuration.

Login to netbox with a user with umlauts in the first name (e.g. Jörn)

Please share the exact details of the user to create before this step.

@jeremystretch commented on GitHub (Jan 30, 2024): > 3. configure your webserver to populate the header with the remote users firstname Please share which web server you're using and its configuration. > 4. Login to netbox with a user with umlauts in the first name (e.g. Jörn) Please share the exact details of the user to create before this step.

adam commented

2025-12-29 20:46:31 +01:00

@hendrikbl commented on GitHub (Jan 30, 2024):

Please share which web server you're using and its configuration.

I'm using netbox-docker with an apache reverse proxy with the following configuration:

SSLProxyEngine On
ProxyPreserveHost On
ProxyRequests off

ProxyPass /netbox/static http://127.0.0.1:8000/static
ProxyPassReverse /netbox/static http://127.0.0.1:8000/static

ProxyPass /netbox http://127.0.0.1:8000/netbox
ProxyPassReverse /netbox http://127.0.0.1:8000/netbox

<Location /netbox >
    AuthType Kerberos
    AuthName "Kerberos Login"
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbAuthRealms MY.DOMAIN
    Krb5KeyTab /etc/krb5.keytab
    KrbLocalUserMapping On

    AuthLDAPBindDN "user@my.domain"
    AuthLDAPBindPassword password
    AuthLDAPURL "ldap://my.domain/ou=Person,ou=Users,dc=my,dc=domain?SamAccountName,memberOf,mail,givenName,sn?sub?(objectClass=*)"

    Require ldap-group cn=netbox_users,cn=Users,dc=my,dc=domain

    AddDefaultCharset utf-8

    RequestHeader unset "X-Remote-User"
    RequestHeader set "X-Remote-User" expr=%{REMOTE_USER}

    RequestHeader set X-Remote-User-Groups %{AUTHORIZE_memberof}e
    RequestHeader edit* X-Remote-User-Groups CN=([^,]+),[^;]+ $1
    RequestHeader edit* X-Remote-User-Groups "; " |

    RequestHeader set X-Remote-User-Email %{AUTHORIZE_mail}e
    RequestHeader set X-Remote-User-First-Name %{AUTHORIZE_givenName}e
    RequestHeader set X-Remote-User-Last-Name %{AUTHORIZE_sn}e
</Location>

<Location /netbox/api >
    AuthType None
    Require all granted
</Location>

Please share the exact details of the user to create before this step.

We're using microsoft active directory as our ldap provider but this should work with any directory server:

Create a new ad user with the following details

Username: buerger
Firstname: Jörn
Lastname: Bürger
Mail: joern.buerger@my.domain

Create an ad group named netbox_users
Add the buerger user we created in step 1 to the netbox_users group created in step 2

After that, opening netbox from a kerberos enabled browser logs the user in just fine because usernames never contain any umlauts in our environment. But user details such as firstname and lastname do and are synced with wrong encoding.

@hendrikbl commented on GitHub (Jan 30, 2024): > Please share which web server you're using and its configuration. I'm using netbox-docker with an apache reverse proxy with the following configuration: ```apache SSLProxyEngine On ProxyPreserveHost On ProxyRequests off ProxyPass /netbox/static http://127.0.0.1:8000/static ProxyPassReverse /netbox/static http://127.0.0.1:8000/static ProxyPass /netbox http://127.0.0.1:8000/netbox ProxyPassReverse /netbox http://127.0.0.1:8000/netbox <Location /netbox > AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms MY.DOMAIN Krb5KeyTab /etc/krb5.keytab KrbLocalUserMapping On AuthLDAPBindDN "user@my.domain" AuthLDAPBindPassword password AuthLDAPURL "ldap://my.domain/ou=Person,ou=Users,dc=my,dc=domain?SamAccountName,memberOf,mail,givenName,sn?sub?(objectClass=*)" Require ldap-group cn=netbox_users,cn=Users,dc=my,dc=domain AddDefaultCharset utf-8 RequestHeader unset "X-Remote-User" RequestHeader set "X-Remote-User" expr=%{REMOTE_USER} RequestHeader set X-Remote-User-Groups %{AUTHORIZE_memberof}e RequestHeader edit* X-Remote-User-Groups CN=([^,]+),[^;]+ $1 RequestHeader edit* X-Remote-User-Groups "; " | RequestHeader set X-Remote-User-Email %{AUTHORIZE_mail}e RequestHeader set X-Remote-User-First-Name %{AUTHORIZE_givenName}e RequestHeader set X-Remote-User-Last-Name %{AUTHORIZE_sn}e </Location> <Location /netbox/api > AuthType None Require all granted </Location> ``` > Please share the exact details of the user to create before this step. We're using microsoft active directory as our ldap provider but this should work with any directory server: 1. Create a new ad user with the following details ``` Username: buerger Firstname: Jörn Lastname: Bürger Mail: joern.buerger@my.domain ``` 2. Create an ad group named `netbox_users` 3. Add the `buerger` user we created in step 1 to the `netbox_users` group created in step 2 After that, opening netbox from a kerberos enabled browser logs the user in just fine because usernames never contain any umlauts in our environment. But user details such as firstname and lastname do and are synced with wrong encoding.

adam commented

2025-12-29 20:46:31 +01:00

@jeremystretch commented on GitHub (Jan 30, 2024):

I'm using netbox-docker

You may want to open a bug with the netbox-docker project, as its configuration is out of scope for this project.

NetBox receives the HTTP headers via WSGI already encoded as strings; I don't believe there's any action for us to take here. You may want to examine your Apache and WSGI worker configs to verify that the correct encoding is used.

@jeremystretch commented on GitHub (Jan 30, 2024): > I'm using netbox-docker You may want to open a bug with the [netbox-docker project](https://github.com/netbox-community/netbox-docker), as its configuration is out of scope for this project. NetBox receives the HTTP headers via WSGI already encoded as strings; I don't believe there's any action for us to take here. You may want to examine your Apache and WSGI worker configs to verify that the correct encoding is used.

adam commented

2025-12-29 20:46:31 +01:00

@hendrikbl commented on GitHub (Jan 31, 2024):

I looked a little more into this and found that the authentication provider returns names with special characters as utf8. Apache then keeps this encoding when setting the header. Since the standard defines HTTP headers as iso-8859-1, WSGI and everyone else interprets the header as iso-8859-1. So we get something weird if that's encoded back to utf8.

UTF8 Header --> decoded as ISO-8859-1 by WSGI --> encoded as UTF8 when displayed

There is a great article about it in german https://floern.com/;;/umlautproblem/

Still it seems there is no way to force the header to be ISO-8859-1 in apache. So I'm still stuck with this issue.

Tldr: The problem is apache encoding the header against the standard as utf8. Netbox and netbox-docker are doing everything correctly.

@hendrikbl commented on GitHub (Jan 31, 2024): I looked a little more into this and found that the authentication provider returns names with special characters as `utf8`. Apache then keeps this encoding when setting the header. Since the standard defines HTTP headers as `iso-8859-1`, WSGI and everyone else interprets the header as `iso-8859-1`. So we get something weird if that's encoded back to `utf8`. ``` UTF8 Header --> decoded as ISO-8859-1 by WSGI --> encoded as UTF8 when displayed ``` There is a great article about it in german https://floern.com/;;/umlautproblem/ Still it seems there is no way to force the header to be `ISO-8859-1` in apache. So I'm still stuck with this issue. Tldr: The problem is apache encoding the header against the standard as utf8. Netbox and netbox-docker are doing everything correctly.

adam commented

2025-12-29 20:46:31 +01:00

@jeremystretch commented on GitHub (Jan 31, 2024):

@hendrikbl thanks for following up with your findings. Wish I had a better answer for you. I'd probably tackle it from the authentication service side next; maybe there's a way to tweak the encoding of the authentication response.

Going to close this out as this doesn't appear be addressable in NetBox.

@jeremystretch commented on GitHub (Jan 31, 2024): @hendrikbl thanks for following up with your findings. Wish I had a better answer for you. I'd probably tackle it from the authentication service side next; maybe there's a way to tweak the encoding of the authentication response. Going to close this out as this doesn't appear be addressable in NetBox.

Sign in to join this conversation.

Branches Tags

main

21102-fix-graphiql-explorer

update-changelog-comments-docs

20911-dropdown

20239-plugin-menu-classes-mutable-state

21097-graphql-id-lookups

feature

fix_module_substitution

20923-dcim-templates

20044-elevation-stuck-lightmode

feature-ip-prefix-link

v4.5-beta1-release

20068-import-moduletype-attrs

20766-fix-german-translation-code-literals

20378-del-script

7604-filter-modifiers-v3

circuit-swap

12318-case-insensitive-uniqueness

20637-improve-device-q-filter

20660-script-load

19724-graphql

20614-update-ruff

14884-script

02496-max-page

19720-macaddress-interface-generic-relation

19408-circuit-terminations-export-templates

20203-openapi-check

fix-19669-api-image-download

7604-filter-modifiers

19275-fixes-interface-bulk-edit

fix-17794-get_field_value_return_list

11507-show-aggregate-and-rir-on-api

9583-add_column_specific_search_field_to_tables

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/netbox#9170