Skip to content

Required Configuration Settings

ALLOWED_HOSTS

Environment Variable: NAUTOBOT_ALLOWED_HOSTS specified as a space-separated quoted string (e.g. NAUTOBOT_ALLOWED_HOSTS="localhost 127.0.0.1 example.com").

This is a list of valid fully-qualified domain names (FQDNs) and/or IP addresses that can be used to reach the Nautobot service. Usually this is the same as the hostname for the Nautobot server, but can also be different; for example, when using a reverse proxy serving the Nautobot website under a different FQDN than the hostname of the Nautobot server. To help guard against HTTP Host header attacks, Nautobot will not permit access to the server via any other hostnames (or IPs).

Keep in mind that by default Nautobot sets USE_X_FORWARDED_HOST to True, which means that if you're using a reverse proxy, the FQDN used to reach that reverse proxy needs to be in this list.

Note

This parameter must always be defined as a list or tuple, even if only a single value is provided.

Example:

ALLOWED_HOSTS = ['nautobot.example.com', '192.0.2.123']

Tip

If there is more than one hostname in this list, you may also need to set CSRF_TRUSTED_ORIGINS as well.

If you are not yet sure what the domain name and/or IP address of the Nautobot installation will be, and are comfortable accepting the risks in doing so, you can set this to a wildcard (asterisk) to allow all host values:

ALLOWED_HOSTS = ['*']

Warning

It is not recommended to leave this value as ['*'] for production deployments. Please see the official Django documentation on ALLOWED_HOSTS for help.


DATABASES

Nautobot requires access to a supported database service to store data. This service can run locally on the Nautobot server or on a remote system. The following parameters must be defined within the DATABASES dictionary:

  • NAME - Database name
  • USER - Database username
  • PASSWORD - Database password
  • HOST - Name or IP address of the database server (use localhost if running locally)
  • PORT - The port to use when connecting to the database. An empty string means the default port for your selected backend. (PostgreSQL: 5432, MySQL: 3306)
  • CONN_MAX_AGE - Lifetime of a persistent database connection, in seconds (300 is the default)
  • ENGINE - The database backend to use. This can be either django.db.backends.postgresql or django.db.backends.mysql.

The following environment variables may also be set for each of the above values:

  • NAUTOBOT_DB_NAME
  • NAUTOBOT_DB_USER
  • NAUTOBOT_DB_PASSWORD
  • NAUTOBOT_DB_HOST
  • NAUTOBOT_DB_PORT
  • NAUTOBOT_DB_TIMEOUT
  • NAUTOBOT_DB_ENGINE

Added in version 1.1.0

The NAUTOBOT_DB_ENGINE setting was added along with support for MySQL.

Warning

Nautobot supports either MySQL or PostgreSQL as a database backend. You must make sure that the ENGINE setting matches your selected database backend or you will be unable to connect to the database.

Example:

DATABASES = {
    'default': {
        'NAME': 'nautobot',                         # Database name
        'USER': 'nautobot',                         # Database username
        'PASSWORD': 'awesome_password',             # Database password
        'HOST': 'localhost',                        # Database server
        'PORT': '',                                 # Database port (leave blank for default)
        'CONN_MAX_AGE': 300,                        # Max database connection age
        'ENGINE': 'django.db.backends.postgresql',  # Database driver ("mysql" or "postgresql")
    }
}

Note

Nautobot supports all database options supported by the underlying Django framework. For a complete list of available parameters, please see the official Django documentation on DATABASES.

MySQL Unicode Settings

Added in version 1.1.0

Tip

By default, MySQL is case-insensitive in its handling of text strings. This is different from PostgreSQL which is case-sensitive by default. We strongly recommend that you configure MySQL to be case-sensitive for use with Nautobot, either when you enable the MySQL server, or when you create the Nautobot database in MySQL. If you follow the provided installation instructions for CentOS or Ubuntu, the recommended steps there will include the appropriate database configuration.

When using MySQL as a database backend, and you want to enable support for Unicode characters like the beloved poop emoji, you'll need to update your settings.

If you try to use emojis without this setting, you will encounter a server error along the lines of Incorrect string value, because you are running afoul of the legacy implementation of Unicode (aka utf8) encoding in MySQL. The utf8 encoding in MySQL is limited to 3-bytes per character. Newer Unicode emoji require 4-bytes.

To properly support using such characters, you will need to create an entry in DATABASES -> default -> OPTIONS with the value {"charset": "utf8mb4"} in your nautobot_config.py and restart all Nautobot services. This will tell MySQL to always use utf8mb4 character set for database client connections.

For example:

DATABASES = {
    "default": {
        # Other settings...
        "OPTIONS": {"charset": "utf8mb4"},  # Add this line
    }
}

Added in version 1.1.0

If you have generated a new nautobot_config.py using nautobot-server init, this line is already there for you in your config. You'll just need to uncomment it!

Changed in version 1.1.5

If you have generated a new nautobot_config.py using nautobot-server init, this line is already present in your config and no action is required.


Redis Settings

Redis is an in-memory data store similar to memcached. It is required to support Nautobot's caching, task queueing, and webhook features. The connection settings are explained here, allowing Nautobot to connect to different Redis instances/databases per feature.

Warning

It is highly recommended to keep the Redis databases for caching and tasks separate. Using the same database number on the same Redis instance for both may result in queued background tasks being lost during cache flushing events. For this reason, the default settings utilize database 1 for caching and database 0 for tasks.

Tip

The default Redis settings in your nautobot_config.py should be suitable for most deployments and should only require customization for more advanced configurations.

Caching

Nautobot supports database query caching using django-cacheops.

Caching is configured by defining the CACHEOPS_REDIS setting which in its simplest form is just a URL.

For more details on Nautobot's caching, including TLS and HA configuration, see the guide on Caching.

Important

Nautobot does not utilize the built-in Django cache framework to perform caching, as django-cacheops takes its place.

CACHEOPS_REDIS

Default: "redis://localhost:6379/1"

Environment Variable: NAUTOBOT_CACHEOPS_REDIS

If you wish to use SSL, you may set the URL scheme to rediss://, for example:

CACHEOPS_REDIS = "rediss://localhost:6379/1"

This setting may also be a dictionary style to provide additional options such as custom TLS/SSL settings, for example:

import ssl

CACHEOPS_REDIS = {
    "host": os.getenv("NAUTOBOT_REDIS_HOST", "localhost"),
    "port": int(os.getenv("NAUTOBOT_REDIS_PORT", 6379)),
    "password": os.getenv("NAUTOBOT_REDIS_PASSWORD", ""),
    "ssl": True,
    "ssl_cert_reqs": ssl.CERT_REQUIRED,
    "ssl_ca_certs": "/opt/nautobot/redis/ca.crt",
    "ssl_certfile": "/opt/nautobot/redis/tls.crt",
    "ssl_keyfile": "/opt/nautobot/redis/tls.key",
}

Additional settings may be available and are not covered here. Please see the official guide on Cacheops setup.

CACHEOPS_SENTINEL

Default: undefined

If you are using Redis Sentinel for high-availability purposes, you must replace the CACHEOPS_REDIS setting with CACHEOPS_SENTINEL. For more details on configuring Nautobot to use Redis Sentinel see Using Redis Sentinel. For more details on how to configure Cacheops specifically to use Redis Sentinel see the official guide on Cacheops setup.

Warning

CACHEOPS_REDIS and CACHEOPS_SENTINEL are mutually exclusive and will result in an error if both are set.

Task Queuing

CACHES

The django-redis Django plugin is used to enable Redis as a concurrent write lock for preventing race conditions when allocating IP address objects, and also to define centralized Redis connection settings that will be used by RQ. The CACHES setting is required to to simplify the configuration for defining queues. It is not used for caching at this time.

Important

Nautobot does not utilize the built-in Django cache framework (which also relies on the CACHES setting) to perform caching because Cacheops is being used instead as detailed just above. Yes, we know this is confusing, which is why this is being called out explicitly!

Default:

# Uncomment the following line to configure TLS/SSL
# import ssl

CACHES = {
    "default": {
        "BACKEND": "django_redis.cache.RedisCache",
        "LOCATION": "redis://localhost:6379/0",
        "TIMEOUT": 300,
        "OPTIONS": {
            "CLIENT_CLASS": "django_redis.client.DefaultClient",
            # Uncomment the following lines to configure TLS/SSL
            # "CONNECTION_POOL_KWARGS": {
            #     "ssl_cert_reqs": ssl.CERT_REQUIRED,
            #     "ssl_ca_certs": "/opt/nautobot/redis/ca.crt",
            #     "ssl_certfile": "/opt/nautobot/redis/tls.crt",
            #     "ssl_keyfile": "/opt/nautobot/redis/tls.key",
            # },
        },
    }
}

Task Queuing with RQ

Changed in version 1.1.0

Using task queueing with RQ is deprecated in exchange for using Celery. Support for RQ will be removed entirely starting in Nautobot 2.0.

Task queues are configured by defining them within the RQ_QUEUES setting.

Nautobot's core functionality relies on several distinct queues and these represent the minimum required set of queues that must be defined. By default, these use identical connection settings as defined in CACHES (yes, that's confusing and we'll explain below).

In most cases the default settings will be suitable for production use, but it is up to you to modify the task queues for your environment and know that other use cases such as utilizing specific plugins may require additional queues to be defined.

RQ_QUEUES

The default value for this setting defines the queues and instructs RQ to use the default Redis connection defined in CACHES. This is intended to simplify default configuration for the common case.

Please see the official django-rq documentation on support for django-redis connection settings for more information.

Changed in version 1.1.0

The check_releases, custom_fields, and webhooks queues are no longer in use by Nautobot but maintained here for backwards compatibility; they will be removed in Nautobot 2.0.

Default:

RQ_QUEUES = {
    "default": {
        "USE_REDIS_CACHE": "default",
    },
    "check_releases": {
        "USE_REDIS_CACHE": "default",
    },
    "custom_fields": {
        "USE_REDIS_CACHE": "default",
    },
    "webhooks": {
        "USE_REDIS_CACHE": "default",
    },
}

More verbose dictionary-style configuration is still supported, but is not required unless you absolutely need more advanced task queuing configuration. An example configuration follows:

RQ_QUEUES = {
    "default": {
        "HOST": "localhost",
        "PORT": 6379,
        "DB": 0,
        "PASSWORD": "",
        "SSL": False,
        "DEFAULT_TIMEOUT": 300
    },
    "webhooks": {
        "HOST": "localhost",
        "PORT": 6379,
        "DB": 0,
        "PASSWORD": "",
        "SSL": False,
        "DEFAULT_TIMEOUT": 300
    },
    "check_releases": {
        "HOST": "localhost",
        "PORT": 6379,
        "DB": 0,
        "PASSWORD": "",
        "SSL": False,
        "DEFAULT_TIMEOUT": 300
    },
    "custom_fields": {
        "HOST": "localhost",
        "PORT": 6379,
        "DB": 0,
        "PASSWORD": "",
        "SSL": False,
        "DEFAULT_TIMEOUT": 300
    }
}
  • HOST - Name or IP address of the Redis server (use localhost if running locally)
  • PORT - TCP port of the Redis service; leave blank for default port (6379)
  • PASSWORD - Redis password (if set)
  • DB - Numeric database ID
  • SSL - Use SSL connection to Redis
  • DEFAULT_TIMEOUT - The maximum execution time of a background task (such as running a Job), in seconds.

The following environment variables may also be set for some of the above values:

  • NAUTOBOT_REDIS_SCHEME
  • NAUTOBOT_REDIS_HOST
  • NAUTOBOT_REDIS_PORT
  • NAUTOBOT_REDIS_PASSWORD
  • NAUTOBOT_REDIS_USERNAME
  • NAUTOBOT_REDIS_SSL
  • NAUTOBOT_REDIS_TIMEOUT

Note

If you overload any of the default values in CACHES or RQ_QUEUES you may be unable to utilize the environment variables, depending on what you change.

For more details on configuring RQ, please see the documentation for Django RQ installation.

Task Queuing with Celery

Added in version 1.1.0

Out of the box you do not need to make any changes to utilize task queueing with Celery. All of the default settings are sufficient for most installations.

In the event you do need to make customizations to how Celery interacts with the message broker such as for more advanced clustered deployments, the following settings are required.

CELERY_BROKER_URL

This setting tells Celery and its workers how and where to communicate with the message broker. The default value for this points to redis://localhost:6379/0. Please see the optional settings documentation for CELERY_BROKER_URL for more information on customizing this setting.

CELERY_RESULT_BACKEND

This setting tells Celery and its workers how and where to store message results. This defaults to the same value as CELERY_BROKER_URL. In some more advanced setups it may be required for these to be separate locations, however in our configuration guides these are always the same. Please see the optional settings documentation for CELERY_RESULT_BACKEND for more information on customizing this setting.

Configuring Celery with TLS

Optionally, you can configure Celery to use custom SSL certificates to connect to redis by setting the following variables:

import ssl

CELERY_REDIS_BACKEND_USE_SSL = {
    "ssl_cert_reqs": ssl.CERT_REQUIRED,
    "ssl_ca_certs": "/opt/nautobot/redis/ca.crt",
    "ssl_certfile": "/opt/nautobot/redis/tls.crt",
    "ssl_keyfile": "/opt/nautobot/redis/tls.key",
}
CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL

Please see the celery documentation for additional details.

Configuring Celery for High Availability

High availability clustering of Redis for use with Celery can be performed using Redis Sentinel. Please see documentation section on configuring Celery for Redis Sentinel for more information.


SECRET_KEY

Environment Variable: NAUTOBOT_SECRET_KEY

This is a secret, random string used to assist in the creation new cryptographic hashes for passwords and HTTP cookies. The key defined here should not be shared outside of the configuration file. SECRET_KEY can be changed at any time, however be aware that doing so will invalidate all existing sessions.

Bug

Due to an unresolved bug in the django-cryptography library, if you have any Git repositories configured in your database, changing the SECRET_KEY will cause errors like:

<class 'django.core.signing.BadSignature'>

Signature "b'mG5+660ye92rJBEtyZxuorLD6A6tcRmeS7mrGCP9ayg=\n'" does not match

If you encounter this error, it can be resolved in one of two ways:

  1. Change the SECRET_KEY back to its previous value, and delete all Git repository records via the UI or API.
  2. Connect to the database and use SQL commands to delete all Git repository records without needing to revert the SECRET_KEY.

Please note that this key is not used directly for hashing user passwords or (with the exception of the aforementioned django-cryptography bug) for the encrypted storage of secret data in Nautobot.

SECRET_KEY should be at least 50 characters in length and contain a random mix of letters, digits, and symbols.

Note

A unique SECRET_KEY is generated for you automatically when you use nautobot-server init to create a new nautobot_config.py.

You may run nautobot-server generate_secret_key to generate a new key at any time.

nautobot-server generate_secret_key

Sample output:

+$_kw69oq&fbkfk6&q-+ksbgzw1&061ghw%420u3(wen54w(m

Alternatively use the following command to generate a secret even before nautobot-server is runnable:

LC_ALL=C tr -cd '[:lower:][:digit:]!@#$%^&*(\-_=+)' < /dev/urandom | fold -w50 | head -n1

Example output:

9.V$@Kxkc@@Kd@z<a/=.J-Y;rYc79<y@](9o9(L(*sS)Q+ud5P

Warning

In the case of a highly available installation with multiple web servers, SECRET_KEY must be identical among all servers in order to maintain a persistent user session state.

For more details see Nautobot Configuration.