Building a publicly accessible anonymous org and dash / security steps

I’d like to use a Grafana dashboard as a public facing weather page. The data presentation is simply superior to every other option I have available. And it lets people tinker with viewing historical data. It also has the best responsive mobile view of all the options I have available. So if I can make this work securely and safely, i is what I want to do.

Grafana is running on a Windows 10 PC behind a firewall. I created public_org as an org that is used only for this purpose. In defaults.ini, I enabled anonymous, set the anonymous org for public_org, and set the anonymous org role for Viewer. I believe this makes it so someone that is not logged into Grafana can only see and interact with public_org and only the data sources the org has.

The only data source available to the public_org is a local mySql database that contains the weather station data. The SQL database user assigned to the datasource has only select rights to that database and no other rights at all. There is no data in this database that is sensitive or private. The same data goes to various public weather websites like wunderground. Try as I might, I have yet to identify an OpSec risk derived from the humidity. So a public viewer being able to see the entire data set is not only ok, it is the entire purpose.

The only Grafana user account on this Grafana server at this time is my admin account, which is not admin and has a strong password. So if someone snooping around wants to try logging in, it isn’t happening.

Are there any other matters I should set or change in the ini? Any vulnerabilities I should be aware of? Can I limit how many incorrect login attempts are made somehow?

Hi,

I would recommend to stay up to date in Grafana versions as they include security fixes.

Good Luck

not possible as of now

What is not possible? I’m guessing you didn’t actually read any of my post except for the title?

no need to get varbally abusive. i read it all and my statement is final

lol ok. :neutral_face:

So anyway, if anyone with actual meaningful information that actually answers any of the questions I asked could provide some input, that would be fantastic. Thanks!

1 Like

Yes, absolutely!

Also, traffic to the site is going through an NGINX reverse proxy on a Ras Pi, which is also handling SSL, certificates, etc. It forwards my domains https traffic to the windows server grafana port.

1 Like