After update to 8.3.5: 'Origin not allowed' behind proxy

Last week Grafana worked without any problems, but after the update to 8.3.5 I cannot log in anymore. In the login screen, after entering my username and password a message appeared: ‘Origin not allowed’. In the grafana.log file I see a line:
lvl=eror msg="Failed to look up user based on cookie" logger=context error="user token not found"

This happens behind a proxy. If I connect directly (via port 3000) everytings works fine.
Any ideas?

1 Like

Hello :wave: and welcome to the forum, @jaapd

This is a known issue with 8.3.6. See this github issue for a workaround.

tl:dr: try adding proxy_set_header Host $http_host; to your config above proxy_pass:


Thanks, it works again!

1 Like

Hi I upgraded from 8.1 to 8.4.1 but I am still facing this ‘Origin Not Allowed’ error even after adding proxy_set_header Host $http_host; in Nginx config file the server block is listening on 443

listen 443 ssl;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
root /usr/share/nginx/html;
index index.html index.htm;

location / {
proxy_set_header Host $http_host; //added after upgrade from 8.1 to 8.4.1 for origin not allowed error

proxy_pass https://localhost:3000/;


Its still showing Origin Not Allowed Error

Still the same error even after adding the line in my vhost. Any other suggestions?

Hello hello :wave:

I’m running Grafana 8.4.2 on a KinD cluster inside Github Codespaces, I’m not sure I have access to any proxy in that environment.

I get ‘Origin not allowed’ when testing a Prometheus datasource running on the same namespace. (Although metric auto-completion works :thinking: )

Is there a workaround for such case?


In addition to this, on apache2 u add the following line

ProxyPreserveHost On

1 Like

You sould restart nginx, sudo sudo systemctl restart nginx.service

I found a way workaround for myself and you can try this:
in your Nginx configuration file using the real domain name replace the $http_host and restart Nginx

# proxy_set_header Host $http_host;
proxy_set_header Host;

It worked for me, hope it can help you also.


This worked, Thanks !!

Did you get a work around for this? Have a similar issue in an AKS cluster at the moment

1 Like

Thanks, valid solution for 9.0.3 as well. :smiley:

Hi Guys,

The grafana (grafana-7.5.11-2.el8.rpm) package we have updated it to the below-mentioned version with dependency.


We are using “Graphite” as DB to connect with Grafana. It worked until we use old version (grafana-7.5.11-2.el8.rpm) and post to the update, the databse connection not worked.

During graphite connection, I get the error “origin not allowed”. also Attached here.

Could you please help us on fixing this issue…

Hi Experts,

We have upgraded grafana package from grafana-7.5.11-2.el8.rpm to grafana-7.5.15-3.el8.x86_64.rpm along with taking care of its dependency package to grafana-pcp-3.2.0-2.el8.x86_64.rpm, and we are seeing the same error “Origin not allowed” post upgrade.,

Actually, we are using “Graphite” as DB to connect with Grafana. It worked until we use old version (grafana-7.5.11-2.el8.rpm ) and post to the update to new version(7.5.15-3.el8.x86_64.rpm), the databse connection not worked. During graphite connection, I get the error “origin not allowed” as attached here.

This is the correct way of fixing the issue. AMAZING!
I had been searching for an answer but based on using istio instead of nginx , so here’s the same config but with an Istio Virtual Service:

the proxy_set_header FQDN ( or $http_host ) in istio is configured in the http headers section

kind: VirtualService
  generation: 4
  name: mynameofVS
  namespace: mynamespace
    - mygateway
    - '*'
    - headers:
        - uri:
            prefix: /grafana
        - destination:
            host: grafana.svc
              number: 80