Getting 403 Origin Not Allowed when logging in behind Azure Application Gateway

  • What Grafana version and what operating system are you using?

I was using Grafana 8.0.6 and it was running fine but with 9.4.17 or latest I am getting 403 errors

  • What are you trying to achieve?

I want to have Grafana running behind an application gateway on a path of an existing domain.

  • How are you trying to achieve it?

I am using Terraform to provision a Linux Web App (Grafana) and an Application Gateway to terminate SSL, though for testing purposes I am only using HTTP at the moment.

  • What happened?

When I run an older version of Grafana everything works as expected with this configuration:

  app_settings = {
    DOCKER_ENABLE_CI              = "true"
    GF_SECURITY_X_XSS_PROTECTION  = "false"
    GF_SERVER_DOMAIN              = "domain.net"
    GF_LIVE_ALLOWED_ORIGINS       = "*"
    GF_SERVER_ROOT_URL            = "%(protocol)s://%(domain)s:%(http_port)s/grafana/"
    GF_SERVER_SERVE_FROM_SUB_PATH = "true"
    GF_SECURITY_ADMIN_USER        = "admin"
    GF_SECURITY_ADMIN_PASSWORD    = var.gf_password
  }

I have set the container hostname as the backend setting in the Azure Gateway.

      name                                = "prod-grafana-backend-http-settings"
      pick_host_name_from_backend_address = false
      host_name                           = azurerm_linux_web_app.grafana-web-app.default_hostname
      cookie_based_affinity               = "Enabled"
      path                                = "/grafana/"
      port                                = 80
      protocol                            = "Http"
      request_timeout                     = 30
      probe_name                          = "${var.appgw_probe[terraform.workspace]}-gf"
  • What did you expect to happen?

I would expect Grafana to work without 403 errors.

  • Can you copy/paste the configuration(s) that you are having problems with?

Pasted above

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.

  • Did you follow any online instructions? If so, what is the URL?

I’ve looked around on the forum but everything seems to discuss nginx or Apache configuration.

Even I’m stuck with the same issue…Did you got the fix?

Do we have any solution for this ?

There is basic rule that tool in front of Grafana (Azure Application Gateway in this particular case, but generally anything: nginx, AWS ALB, AWS API GW, F5,…) must forward Host header to Grafana - how to do that depends on used tool (so check doc for used tool).
Of course domain in tha Host header must be matching domain configured(allowed) in the Grafana config.