joxz/_01.md

## _01.md

      
    Raw
  

              _01.md
            
          
    Netbox SSO with Okta, Vouch and Nginx

  
## backup.sh
#! /bin/sh

# DB Backup and gzip
/usr/bin/pg_dump postgres://<user>:<password>@127.0.0.1:5432/netbox | gzip > netbox_$(date +%Y-%m-%d).psql.gz

# backup uploaded media
tar -czf netbox_media_$(date +%Y-%m-%d).tar.gz /opt/netbox/netbox/media/

# delete old backups other than first of month
find . ! -name '*01.psql.gz' ! -name 'backup.sh' -mmin +$((7*60*24)) -exec rm -f {} \;

## configuration.py
# Remote authentication support
REMOTE_AUTH_ENABLED = True
REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
REMOTE_AUTH_AUTO_CREATE_USER = True
REMOTE_AUTH_DEFAULT_GROUPS = ['sso-default-readonly']
REMOTE_AUTH_DEFAULT_PERMISSIONS = []

## netbox-backup.service
[Unit]
Description=Netbox DB Backup
Wants=netbox-backup.timer

[Service]
ExecStart=/opt/netbox-backup/backup.sh
WorkingDirectory=/opt/netbox-backup

[Install]
WantedBy=multi-user.target

## netbox-backup.timer
[Unit]
Description=Run netbox DB Backup daily
Requires=netbox-backup.service

[Timer]
Unit=netbox-backup.service
AccuracySec=2h
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target

## nginx-cache.conf
# /etc/nginx/conf.d/vouch-cache.conf
proxy_cache_path /var/cache/nginx-vouch levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;

## nginx.conf
server {
  listen 443 ssl http2;
  server_name netbox.EXAMPLE.COM;
    ssl_certificate /etc/letsencrypt/live/netbox.EXAMPLE.COM/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/netbox.EXAMPLE.COM/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  location /static/ {
    alias /opt/netbox/netbox/static/;
  }

  location / {
    # Any request to this location will first be sent to this URL
    auth_request /vouch-validate;
    auth_request_set $auth_user $upstream_http_x_vouch_user;

    # if auth_request returns 200 then forward to backend
    proxy_pass http://127.0.0.1:8001;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;

    # set header for remote authentication
    proxy_set_header REMOTE_USER $auth_user;
  }

  location = /vouch-validate {
    internal;

    # This address is where Vouch will be listening on
    proxy_pass http://127.0.0.1:9090/validate;
    proxy_pass_request_body off; # no need to send the POST body

    proxy_set_header Content-Length "";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # add X-Vouch-IdP-Token for logout URL
    auth_request_set $auth_resp_x_vouch_idp_idtoken $upstream_http_x_vouch_idp_idtoken;

    # these return values are passed to the @error401 call
    auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
    auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
    auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;

    # let nginx cache the vouch cookie for 30s
    proxy_cache_valid 200 30s;
    proxy_cache auth_cache;
    proxy_cache_methods GET;
    proxy_cache_key $cookie_vouchcookie;
    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;
  }

  location /logout {
    # Redirect for logout
    return 302 https://vouch.EXAMPLE.COM/logout;
  }

  location /api {
    # Bypass auth_request for API calls
    proxy_pass http://127.0.0.1:8001;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  error_page 401 = @error401;

  # If the user is not logged in, redirect them to Vouch's login URL
  location @error401 {
    return 302 https://vouch.EXAMPLE.COM/login?url=https://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
  }
}

server {
  listen 443 ssl;
  server_name vouch.EXAMPLE.COM;
    ssl_certificate /etc/letsencrypt/live/netbox.EXAMPLE.COM/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/netbox.EXAMPLE.COM/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  # Proxy to your Vouch instance
  location / {
    proxy_set_header  Host  vouch.EXAMPLE.COM;
    proxy_set_header  X-Forwarded-Proto https;
    proxy_pass        http://127.0.0.1:9090;
  }
}

server {
    listen 80 default_server;
    server_name _;

    location / {
        return 301 https://netbox.EXAMPLE.COM;
    }

    location /stub_status {
        stub_status;

        access_log off;
        allow 127.0.0.1;
        deny all;
    }
}

## options-ssl-nginx.conf
# /etc/letsencrypt/options-ssl-nginx.conf
# https://ssl-config.mozilla.org/#server=nginx&config=intermediate

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

ssl_trusted_certificate /etc/letsencrypt/live/netbox.EXAMPLE.COM/chain.pem;

resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 5s;

# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;

## vouch-config.yml
vouch:
  allowAllUsers: true   # handle app assignment in okta
  jwt:
    secret: { YOUR-JWT-SECRET, should be self generated }
    compress: true
  cookie:
    name: VouchCookie     # has to be the same name as in nginx for caching: proxy_cache_key $cookie_vouchcookie;
    secure: true
    domain: EXAMPLE.COM
    httpOnly: true
    sameSite: lax
  headers:
    idtoken: X-Vouch-IdP-IdToken
  post_logout_redirect_uris:
    - http://netbox.EXAMPLE.COM/login
oauth:
  provider: oidc
  client_id: { CLIENT-ID-FROM-OKTA }
  client_secret: { CLIENT-SECRET-FROM-OKTA }
  auth_url: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/authorize
  token_url: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/token
  user_info_url: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/userinfo
  end_session_endpoint: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/logout
  scopes:
    - openid
    - email
  # Set the callback URL to the domain that Vouch is running on
  callback_url: https://vouch.EXAMPLE.COM/auth

## vouch-proxy.service
[Unit]
Description=Vouch Proxy
After=vouch-proxy.service

[Service]
Type=simple
User=vouch-proxy
WorkingDirectory=/opt/vouch-proxy
ExecStart=/opt/vouch-proxy/vouch-proxy -config /opt/vouch-proxy/config/config.yml
Restart=on-failure
RestartSec=5
StartLimitInterval=60s
StartLimitBurst=3

[Install]
WantedBy=default.target
	#! /bin/sh

	# DB Backup and gzip
	/usr/bin/pg_dump postgres://<user>:<password>@127.0.0.1:5432/netbox \| gzip > netbox_$(date +%Y-%m-%d).psql.gz

	# backup uploaded media
	tar -czf netbox_media_$(date +%Y-%m-%d).tar.gz /opt/netbox/netbox/media/

	# delete old backups other than first of month
	find . ! -name '01.psql.gz' ! -name 'backup.sh' -mmin +$((760*24)) -exec rm -f {} \;
	# Remote authentication support
	REMOTE_AUTH_ENABLED = True
	REMOTE_AUTH_BACKEND = 'utilities.auth_backends.RemoteUserBackend'
	REMOTE_AUTH_HEADER = 'HTTP_REMOTE_USER'
	REMOTE_AUTH_AUTO_CREATE_USER = True
	REMOTE_AUTH_DEFAULT_GROUPS = ['sso-default-readonly']
	REMOTE_AUTH_DEFAULT_PERMISSIONS = []
	[Unit]
	Description=Netbox DB Backup
	Wants=netbox-backup.timer

	[Service]
	ExecStart=/opt/netbox-backup/backup.sh
	WorkingDirectory=/opt/netbox-backup

	[Install]
	WantedBy=multi-user.target
	[Unit]
	Description=Run netbox DB Backup daily
	Requires=netbox-backup.service

	[Timer]
	Unit=netbox-backup.service
	AccuracySec=2h
	OnCalendar=daily
	Persistent=true

	[Install]
	WantedBy=timers.target
	# /etc/nginx/conf.d/vouch-cache.conf
	proxy_cache_path /var/cache/nginx-vouch levels=1:2 keys_zone=auth_cache:10m max_size=128m inactive=30m use_temp_path=off;
	server {
	listen 443 ssl http2;
	server_name netbox.EXAMPLE.COM;
	ssl_certificate /etc/letsencrypt/live/netbox.EXAMPLE.COM/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/netbox.EXAMPLE.COM/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

	location /static/ {
	alias /opt/netbox/netbox/static/;
	}

	location / {
	# Any request to this location will first be sent to this URL
	auth_request /vouch-validate;
	auth_request_set $auth_user $upstream_http_x_vouch_user;

	# if auth_request returns 200 then forward to backend
	proxy_pass http://127.0.0.1:8001;
	proxy_set_header X-Forwarded-Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;

	# set header for remote authentication
	proxy_set_header REMOTE_USER $auth_user;
	}

	location = /vouch-validate {
	internal;

	# This address is where Vouch will be listening on
	proxy_pass http://127.0.0.1:9090/validate;
	proxy_pass_request_body off; # no need to send the POST body

	proxy_set_header Content-Length "";
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;

	# add X-Vouch-IdP-Token for logout URL
	auth_request_set $auth_resp_x_vouch_idp_idtoken $upstream_http_x_vouch_idp_idtoken;

	# these return values are passed to the @error401 call
	auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
	auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
	auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;

	# let nginx cache the vouch cookie for 30s
	proxy_cache_valid 200 30s;
	proxy_cache auth_cache;
	proxy_cache_methods GET;
	proxy_cache_key $cookie_vouchcookie;
	proxy_buffer_size 128k;
	proxy_buffers 4 256k;
	proxy_busy_buffers_size 256k;
	}

	location /logout {
	# Redirect for logout
	return 302 https://vouch.EXAMPLE.COM/logout;
	}

	location /api {
	# Bypass auth_request for API calls
	proxy_pass http://127.0.0.1:8001;
	proxy_set_header X-Forwarded-Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	}

	error_page 401 = @error401;

	# If the user is not logged in, redirect them to Vouch's login URL
	location @error401 {
	return 302 https://vouch.EXAMPLE.COM/login?url=https://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
	}
	}

	server {
	listen 443 ssl;
	server_name vouch.EXAMPLE.COM;
	ssl_certificate /etc/letsencrypt/live/netbox.EXAMPLE.COM/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/netbox.EXAMPLE.COM/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

	# Proxy to your Vouch instance
	location / {
	proxy_set_header Host vouch.EXAMPLE.COM;
	proxy_set_header X-Forwarded-Proto https;
	proxy_pass http://127.0.0.1:9090;
	}
	}

	server {
	listen 80 default_server;
	server_name _;

	location / {
	return 301 https://netbox.EXAMPLE.COM;
	}

	location /stub_status {
	stub_status;

	access_log off;
	allow 127.0.0.1;
	deny all;
	}
	}
	# /etc/letsencrypt/options-ssl-nginx.conf
	# https://ssl-config.mozilla.org/#server=nginx&config=intermediate

	ssl_session_cache shared:le_nginx_SSL:10m;
	ssl_session_timeout 1440m;
	ssl_session_tickets off;

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers off;

	ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";

	# OCSP stapling
	ssl_stapling on;
	ssl_stapling_verify on;

	ssl_trusted_certificate /etc/letsencrypt/live/netbox.EXAMPLE.COM/chain.pem;

	resolver 8.8.8.8 1.1.1.1 valid=300s;
	resolver_timeout 5s;

	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
	add_header Strict-Transport-Security "max-age=63072000" always;
	vouch:
	allowAllUsers: true # handle app assignment in okta
	jwt:
	secret: { YOUR-JWT-SECRET, should be self generated }
	compress: true
	cookie:
	name: VouchCookie # has to be the same name as in nginx for caching: proxy_cache_key $cookie_vouchcookie;
	secure: true
	domain: EXAMPLE.COM
	httpOnly: true
	sameSite: lax
	headers:
	idtoken: X-Vouch-IdP-IdToken
	post_logout_redirect_uris:
	- http://netbox.EXAMPLE.COM/login
	oauth:
	provider: oidc
	client_id: { CLIENT-ID-FROM-OKTA }
	client_secret: { CLIENT-SECRET-FROM-OKTA }
	auth_url: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/authorize
	token_url: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/token
	user_info_url: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/userinfo
	end_session_endpoint: https://YOUR-OKTA-INSTANCE.okta.com/oauth2/default/v1/logout
	scopes:
	- openid
	- email
	# Set the callback URL to the domain that Vouch is running on
	callback_url: https://vouch.EXAMPLE.COM/auth
	[Unit]
	Description=Vouch Proxy
	After=vouch-proxy.service

	[Service]
	Type=simple
	User=vouch-proxy
	WorkingDirectory=/opt/vouch-proxy
	ExecStart=/opt/vouch-proxy/vouch-proxy -config /opt/vouch-proxy/config/config.yml
	Restart=on-failure
	RestartSec=5
	StartLimitInterval=60s
	StartLimitBurst=3

	[Install]
	WantedBy=default.target