Skip to content

Instantly share code, notes, and snippets.

@joxz

joxz/_01.md

Last active December 19, 2022 18:56
Show Gist options
  • Save joxz/fe4f85344c601199350539eefc1ab2be to your computer and use it in GitHub Desktop.
Save joxz/fe4f85344c601199350539eefc1ab2be to your computer and use it in GitHub Desktop.
Download ZIP
Netbox SSO with Okta, Vouch and Nginx
Raw
_01.md

Netbox SSO with Okta, Vouch and Nginx

Raw
backup.sh
#! /bin/sh
# DB Backup and gzip
/usr/bin/pg_dump postgres://<user>:<password>@127.0.0.1:5432/netbox | gzip > netbox_$(date +%Y-%m-%d).psql.gz
# backup uploaded media
tar -czf netbox_media_$(date +%Y-%m-%d).tar.gz /opt/netbox/netbox/media/
# delete old backups other than first of month
find . ! -name '*01.psql.gz' ! -name 'backup.sh' -mmin +$((7*60*24)) -exec rm -f {} \;
Raw
configuration.py
# Remote authentication support
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = ['sso-default-readonly']
REMOTE_AUTH_DEFAULT_PERMISSIONS = []
Raw
netbox-backup.service
[Unit]
Description=Netbox DB Backup
Wants=netbox-backup.timer
[Service]
ExecStart=/opt/netbox-backup/backup.sh
WorkingDirectory=/opt/netbox-backup
[Install]
WantedBy=multi-user.target
Raw
netbox-backup.timer
[Unit]
Description=Run netbox DB Backup daily
Requires=netbox-backup.service
[Timer]
Unit=netbox-backup.service
AccuracySec=2h
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
Raw
nginx-cache.conf
# /etc/nginx/conf.d/vouch-cache.conf
proxy_cache_path /var/cache/nginx-vouch levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
Raw
nginx.conf
server {
listen 443 ssl http2;
server_name netbox.EXAMPLE.COM;
ssl_certificate /etc/letsencrypt/live/netbox.EXAMPLE.COM/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/netbox.EXAMPLE.COM/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /static/ {
alias /opt/netbox/netbox/static/;
}
location / {
# Any request to this location will first be sent to this URL
auth_request /vouch-validate;
auth_request_set $auth_user $upstream_http_x_vouch_user;
# if auth_request returns 200 then forward to backend
proxy_pass http://127.0.0.1:8001;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
# set header for remote authentication
proxy_set_header REMOTE_USER $auth_user;
}
location = /vouch-validate {
internal;
# This address is where Vouch will be listening on
proxy_pass http://127.0.0.1:9090/validate;
proxy_pass_request_body off; # no need to send the POST body
proxy_set_header Content-Length "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# add X-Vouch-IdP-Token for logout URL
auth_request_set $auth_resp_x_vouch_idp_idtoken $upstream_http_x_vouch_idp_idtoken;
# these return values are passed to the @error401 call
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
# let nginx cache the vouch cookie for 30s
proxy_cache_valid 200 30s;
proxy_cache auth_cache;
proxy_cache_methods GET;
proxy_cache_key $cookie_vouchcookie;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
location /logout {
# Redirect for logout
return 302 https://vouch.EXAMPLE.COM/logout;
}
location /api {
# Bypass auth_request for API calls
proxy_pass http://127.0.0.1:8001;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 401 = @error401;
# If the user is not logged in, redirect them to Vouch's login URL
location @error401 {
return 302 https://vouch.EXAMPLE.COM/login?url=https://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}
}
server {
listen 443 ssl;
server_name vouch.EXAMPLE.COM;
ssl_certificate /etc/letsencrypt/live/netbox.EXAMPLE.COM/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/netbox.EXAMPLE.COM/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Proxy to your Vouch instance
location / {
proxy_set_header Host vouch.EXAMPLE.COM;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:9090;
}
}
server {
listen 80 default_server;
server_name _;
location / {
return 301 https://netbox.EXAMPLE.COM;
}
location /stub_status {
stub_status;
access_log off;
allow 127.0.0.1;
deny all;
}
}
Raw
options-ssl-nginx.conf
# /etc/letsencrypt/options-ssl-nginx.conf
# https://ssl-config.mozilla.org/#server=nginx&config=intermediate
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/netbox.EXAMPLE.COM/chain.pem;
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 5s;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
Raw
vouch-config.yml
vouch:
allowAllUsers: true # handle app assignment in okta
jwt:
secret: { YOUR-JWT-SECRET, should be self generated }
compress: true
cookie:
name: VouchCookie # has to be the same name as in nginx for caching: proxy_cache_key $cookie_vouchcookie;
secure: true
domain: EXAMPLE.COM
httpOnly: true
sameSite: lax
headers:
idtoken: X-Vouch-IdP-IdToken
post_logout_redirect_uris:
- http://netbox.EXAMPLE.COM/login
oauth:
provider: oidc
client_id: { CLIENT-ID-FROM-OKTA }
client_secret: { CLIENT-SECRET-FROM-OKTA }
auth_url: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/authorize
token_url: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/token
user_info_url: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/userinfo
end_session_endpoint: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/logout
scopes:
- openid
- email
# Set the callback URL to the domain that Vouch is running on
callback_url: https://vouch.EXAMPLE.COM/auth
Raw
vouch-proxy.service
[Unit]
Description=Vouch Proxy
After=vouch-proxy.service
[Service]
Type=simple
User=vouch-proxy
WorkingDirectory=/opt/vouch-proxy
ExecStart=/opt/vouch-proxy/vouch-proxy -config /opt/vouch-proxy/config/config.yml
Restart=on-failure
RestartSec=5
StartLimitInterval=60s
StartLimitBurst=3
[Install]
WantedBy=default.target
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment