API tokens created in NetBox still require authentication through NGINX reverse proxy

[LWJ-SARA]

When I use Postman for testing, the API token I (the administrator) create is always unavailable and keeps returning a 401 error.

[mmguero]

Ah, interesting! This is a good point and is an oversight that we should address. I can explain why it's happening: in Malcolm, all of the external access is reverse proxied through an NGINX server that acts as a reverse proxy and also handles all of the authentication across all of the components. This is so the authentication can happen in one place, rather than having to be controlled individually across the components.

However, this means that even for something like an API call for netbox that is using a token, it's still going through the same authentication path, as in this case NGINX doesn't know the difference between your token-authenticated API call and access to NetBox's user interface. So it's still going to ask for the authentication username/password as it would another user, even though it's passing the NetBox API token along.

I'm sure there's something we can do to make this work the way it should, but as of today that's unfortunately what's going on. I'm going to log an issue in the issue tracker to figure out how to address this in an upcoming release.

See idaholab#532

[LWJ-SARA]

Thank you for your prompt reply, which has helped me a lot. I have a few more questions:

1. In malcolm, can I proxy netbox without using Nginx? If so, how do I do it?
2. Is it feasible if I use basic auth+CSRFtoken for verification? As far as I know, CSRFtoken is variable, what can I do to get it in real time and integrate it with my own projects?

[mmguero]

1. You could do that, yes, a few different ways, although I would only do either of these on a trusted network.
   • Turn off authentication completely by setting NGINX_BASIC_AUTH to no_authentication in config/auth-common.env. This wouldn't turn off the proxying, but it would skip the requirement for authentication.
   • In the docker-compose.yml file, you could go to the netbox service and expose it's port 8080 to 127.0.0.1 or 0.0.0.0 or some other IP on your host to access that port directly.
2. You're welcome to try to do what you want in that nginx.conf. I don't have experience with auth+CSRFtoken so I can't really speak to that. The docker entrypoint modifies the behavior of NGINX's authentication based on environment variables by creating a symlink called nginx_auth_rt.conf with the authentication behavior desired in there, based on one of the other config files it inlines.