SSL, Hitch, & the API

[ryanmerolle]

Currently the Hitch config allows for TLS with regards to NetBox Docker deployments, BUT it does not send headers to NetBox telling it that their is a secure proxy in front of it. IE API links returned by NetBox API will continue to show http in the url.

From the Hitch documentation:

Remember that hitch is protocol agnostic. It does not know about HTTP, it only passes bytes back and forth. In other words it will not set X-Forwarded-Proto or X-Forwarded-For on requests seen by the backend server. The PROXY protocol support exists for signalling the real client IP to the backend.

We need a to setup a HTTP Proxy to signal to NetBox in the header that the forwarded protocol is https SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

I threw this discussion up so we can find the simplest configuration for the community.

Potential URLs:

• Onboarding the network in Netbox Part 2
• https://www.digitalocean.com/community/tutorials/how-to-scale-and-secure-a-django-application-with-docker-nginx-and-let-s-encrypt#step-3-%E2%80%94-configuring-the-nginx-docker-container
• https://github.com/nginx-proxy/nginx-proxy

[tobiasge]

I think we should also look at Caddy. It has automatic certificate management.

[ryanmerolle]

I think that's fair. I'll look into this some today.

[ryanmerolle]

I got caddy working with docker-compose. It fixes the issue. I will cleanup my install for production and use that to document in the wiki. I must admit it is super easy to setup compared to nginx.

[ryanmerolle]

Here is what I propose we add to the wiki to replace the current hitch setup:

# Caddyfile
netbox.example.com, netbox.prod.example.com { # This line should match your allowed hosts
    reverse_proxy netbox:8080 # The reverse_proxy endpoint should point to the name of the netbox docker container
    encode gzip zstd
    tls /root/certs/cert.crt /root/certs/key.key # Can also combine cert and key into a pem

    log {
      level error
    }
}

# docker-compose.override.yml
services:
  # ... Include your normal override config but add the tls service & update the existing netbox service to include "expose: ["8080"]
  netbox:
    expose:
      - 8080
  tls:
    image: caddy:2-alpine
    depends_on:
      - netbox
    volumes:
      - ./certs:/root/certs:z # Change the ./certs to wherever you place your certificate & key files
      - ./Caddyfile:/etc/caddy/Caddyfile # Change the ./Caddyfile to wherever you place your Caddyfile
    ports:
      - 80:80 # Allows for http redirection
      - 443:443

I welcome feedback to help minimize confusion for people in the wiki.

Caddy also can grab Let's Encrypt certificates automatically when providing an email instead. That just might confuse things.

[cimnine]

Looks nice and simple. I would add :ro to both the caddy mounts just to be on the safe side. But it's not necessary of course.

[cimnine]

Afaik Caddy can also get certificates from Let's Encrypt on it's own. Maybe someone will add such a sample configuration eventually as well after you lay the foundation for the adaption of Caddy :)

[ryanmerolle]

Yea that's what I was saying. I'll likely add that Caddyfile config also. So you think I'm good to update the wiki?

[ryanmerolle]

Feel free to tweak the wording.

WIKI - TLS History - Replace Hitch with Caddy

I hope did not confuse people with the Let's Encrypt & ZeroSSL auto certificate setup. I hope people do not start opening tickets with this project for connectivity (firewall/proxy) issues from their corporate environment to the required CAs. It may be good to just remove that part in favor of just mkcert.

[cimnine]

Thank you. That's really great work, much appreciated. I took the liberty to tweak the structure a tiny bit. I tried to remove all that is not actually necessary to get up and running, e.g.

  netbox:
    expose:
      - 8080

is not actually required, since the NetBox and the Caddy container run on the same internal network.

Then, since I suspect that most readers are probably interested in setting up TLS for NetBox Docker on a productive system, rather than on localhost, I've re-arranged the order of the chapters.

My changes can be seen here, I hope that they're fine with you.

[ryanmerolle]

This is perfect and the sort of edits for readability and clarity I figured would be needed.

Thanks for reviewing and updating!