Use CIDR range in ALLOWED_HOSTS

[llamafilm]

I've put a load balancer in front of Netbox, with TLS terminated on the load balancer. To make this work I use these settings:

ALLOWED_HOSTS = ['*']
CSRF_TRUSTED_ORIGINS = ['https://netbox.mydomain.net']

The load balancer does periodic healthchecks on Netbox's HTTP endpoint, so I would prefer using a CIDR range here like 100.64.0.0/10. This doesn't work, it returns 400 error. I don't think it's a big deal, since I restrict HTTP ingress to only the load balancer, but would it be better to allow CIDR ranges here, and perhaps also partial wildcards like *.mydomain.net ?

[candlerb]

ALLOWED_HOSTS contains the list of hostnames that the Netbox server itself is known as to the outside world. If you put an IP address here, then it's the IP address of the server itself, not the IP address of the load balancer or client.

For example, if your server is running on address 10.11.12.13, and you want people to be able to access it as http://10.11.12.13 then you'd put 10.11.12.13 in ALLOWED_HOSTS. However, if clients only access it using DNS name, which is normal given that they'll probably expect to see a certificate too, then you can just put the hostname(s) there.

If the loadbalancer is making healthchecks then you ought to be able to tell it which hostname to use (since any web server could be running multiple virtual hosts anyway, and you'll need to specify which one to check)

Therefore, I don't really see your use case for a CIDR range. Are you saying that the IP address of the Netbox server itself changes dynamically? Or you have a pool of Netbox front-end servers? Even then, the loadbalancer should be setting a Host: header so that it's testing http://netbox.mydomain.net, not http://10.11.12.13

[llamafilm]

Thanks, I see there wildcards are supported like .mydomain.net. But that doesn't actually help in this situation because the load balancer queries the instance on its IP address. I'm not aware of a way to make AWS load balancer check a DNS name instead of IP.

[markkuleinio]

If you redeploy the EC2, have your redeploy code deploy that new EC2 in the load balancer as well.

I'm using two CloudFormation templates: first one deploys the EC2, the second one deploys the ALB, referencing the EC2. I don't need to redeploy just the EC2. If I destroy and rebuild the EC2, I'll just destroy and redeploy the ALB as well, and update the company-branded internal CNAME to use the new ALB DNS name.

[markkuleinio]

And, I have disabled the default Nginx site config (on the NetBox server) and replaced with it just

$ cat /etc/nginx/sites-enabled/lbcheck
server {
    listen 80;
    server_name $server_addr;
    location / {
        return 200 'OK\n';
    }
}

Since I only have one NetBox EC2, I don't see much value for the health check anyway but ALB checks "/" for status 200 so there it gets that.

--> My ALLOWED_HOSTS is configured with just mynetboxserver.example.com (= the hostname the clients are using), no need for anything special for ALB to work.

[llamafilm]

I use Spinnaker to manage deployment pipelines. There’s no need to recreate the ALB because it automatically gets the IP address of the new instance in the target group.

The dummy healthcheck is a clever idea. That would probably be fine for my situation too. I’m just in the habit of planning ahead for scale, even when it might be unnecessary.

[markkuleinio]

And, if you later want to make "real" health checks to the NetBox level and if you still have the normal Nginx/Apache on the NetBox EC2, maybe you can figure out a config in Nginx/Apache that mangles the headers (for the health checks only) so that no special NetBox-level config is required.

[markkuleinio]

Someone please tell me again in which cases is setting CSRF_TRUSTED_ORIGINS required?

I mean, I have it in some of my older configs, but in the latest 3.7.0 test installations I haven't set it, and everything seems to work just fine.

I'm running non-TLS NetBox on EC2 behind the ALB (that does TLS offloading):

client -> ALB -> nginx -> gunicorn (NetBox)

[markkuleinio]

I think it's to do with any page which does a form POST, e.g. edit device, bulk edit device. If those things work without it, then I'm not sure :-)

Yeah no problems, and the links in racks work, so I don't know what was the problem earlier

[markkuleinio]

My ALB health checks look like these:

GET / HTTP/1.1
Host: 10.200.200.101
Connection: close
User-Agent: ELB-HealthChecker/2.0
Accept-Encoding: gzip, compressed

10.200.200.101 = EC2 IP

[candlerb]

Ugh. Assuming you can't override the Host header - and it looks like you can't - then on Nginx put the proxying to Netbox inside a virtualhost for netbox.example.com, and outside the virtualhost return a dummy OK page on /

[markkuleinio]

Yes, see my earlier comment above

[markkuleinio]

FWIW, I get these headers for browser traffic:

From ALB to Nginx:

Host: mynetboxserver.example.com
X-Forwarded-For: 10.10.10.184
X-Forwarded-Proto: https
X-Forwarded-Port: 443

From Nginx (with those configurations) to NetBox:

    proxy_set_header X-Real-IP $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;

Host: 127.0.0.1:8001
X-Forwarded-Host: mynetboxserver.example.com
X-Real-IP: 10.10.10.184, 10.200.200.33
X-Forwarded-For: 10.10.10.184
X-Forwarded-Proto: https
X-Forwarded-Port: 443

where 10.10.10.184 = client IP, 10.200.200.33 = ALB IP

This works also for API token allowed IP lists, and device links in the racks are working.

[candlerb]

I think it's to do with any page which does a form POST, e.g. edit device, bulk edit device. If those things work without it, then I'm not sure :-)

Yeah no problems, and the links in racks work, so I don't know what was the problem earlier

Yes you're right: on my system CSRF_TRUSTED_ORIGINS is not present at all in configuration.py, so it defaults in settings.py to empty array:

./settings.py:CSRF_TRUSTED_ORIGINS = getattr(configuration, 'CSRF_TRUSTED_ORIGINS', [])

So I think you're right, this isn't needed at all normally - maybe only for very weird situations where you have a different website which includes a form which POSTs to Netbox. Django docs

[candlerb]

would it be better to allow CIDR ranges here, and perhaps also partial wildcards like *.mydomain.net ?

FYI, ALLOWED_HOSTS does allow wildcards like .mydomain.net. Django docs ref