Configure the server to disable support for static key cipher suites

naoh · September 14, 2022, 6:49am

What Grafana version and what operating system are you using?
Grafana Version 8.2.5
What are you trying to achieve?
Trying to configure the server to disable support for static key cipher suites
How are you trying to achieve it?
I have tried setting

tls_min_version = tls13

tls_min_version = tls1.3

What happened?

However scans still show up that insecure cipher suites: TLS 1.2 ciphers are being used.

What did you expect to happen?
I expected to be able to disable support for static key ciphers.
Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
No
Did you follow any online instructions? If so, what is the URL?
Configure Grafana | Grafana documentation

mattabrams · October 4, 2022, 12:00am

welcome to the forum, @naoh

I dont see tls_min_version listed in our config documentation. I do see something like that in the Loki code, however:

github.com

grafana/loki/blob/044d06015d0d6fe9d44891f1d8c678298a109b67/vendor/github.com/weaveworks/common/server/server.go#L74


      
          	HTTPListenNetwork string `yaml:"http_listen_network"`
          	HTTPListenAddress string `yaml:"http_listen_address"`
          	HTTPListenPort    int    `yaml:"http_listen_port"`
          	HTTPConnLimit     int    `yaml:"http_listen_conn_limit"`
          	GRPCListenNetwork string `yaml:"grpc_listen_network"`
          	GRPCListenAddress string `yaml:"grpc_listen_address"`
          	GRPCListenPort    int    `yaml:"grpc_listen_port"`
          	GRPCConnLimit     int    `yaml:"grpc_listen_conn_limit"`
          
          	CipherSuites  string    `yaml:"tls_cipher_suites"`
          	MinVersion    string    `yaml:"tls_min_version"`
          	HTTPTLSConfig TLSConfig `yaml:"http_tls_config"`
          	GRPCTLSConfig TLSConfig `yaml:"grpc_tls_config"`
          
          	RegisterInstrumentation  bool `yaml:"register_instrumentation"`
          	ExcludeRequestInLog      bool `yaml:"-"`
          	DisableRequestSuccessLog bool `yaml:"-"`
          
          	ServerGracefulShutdownTimeout time.Duration `yaml:"graceful_shutdown_timeout"`
          	HTTPServerReadTimeout         time.Duration `yaml:"http_server_read_timeout"`
          	HTTPServerWriteTimeout        time.Duration `yaml:"http_server_write_timeout"`

naoh · December 2, 2022, 3:53am

Hi, I do not want to configure it on Loki, i read documentation that it is hard-coded in Grafana itself. Can I configure it for Grafana in defaults.ini?

jangaraj · December 2, 2022, 8:15am

Grafana doesn’t expose TLS configuration - you can’t configure any TLS settings in Grafana. Use reverse proxy e. g. Nginx in front of Grafana and configure desired TLS configuration (min/max tls version, ciohers) there.