Closed jiphex closed 1 year ago
Ah, unless my netbox server is misconfigured with a HTTP base URL
Looks like you got this resolved, but thanks for taking the time to report anyway @jiphex!
Yes, for anyone else that comes across this - the problem is that the Netbox server is listening on HTTP behind a reverse proxy for SSL, so it thinks it's receiving requests via HTTP in stead of HTTPS
This means that the object URLs returned from the Netbox API (say the url
field or tenant.url
) in the data have http:
prefixes instead of https:
, which pynetbox will happily follow.
It looks like I need to configure Netbox to respect the reverse proxy's X-Forwarded-Proto
header, so that it will return these as HTTPS responses instead.
Yes, this is what I have in NetBox' nginx configuration when using AWS ALB in front of NetBox:
proxy_set_header X-Forwarded-Proto https;
I am using Netbox v6.6.2, I've not been able to test this with v7 yet, although I don't see any reference to it in the Changelog.
When I get the connected_endpoint for a device (e.g a power outlet on a device), pynetbox has to make a call to the NetboxAPI to get the details.
Despite me having the pynetbox.Api object configured with a
https
endpoint, it looks like for some reason, when this details request is being made, the requests to Netbox are going over plaintexthttp
.The initial requests (getting details about the devices themselves) go directly over HTTPS:
However when I start to enumerate the outlets and their connected devices, the detail requests are going via HTTP (and getting redirected):
I was able to discover this by enabling the urllib3 verbose logging as described here. I only construct the pynetbox.Api object once, and it is used throughout this code, so I don't understand why this is changing back to HTTP.
I think this is a security issue, as the requests to the http endpoint include the Netbox token, so it is being leaked in plaintext.