Getting Invalid auth header using nginx reverse proxy

I am using Nginx reverse proxy for grafana in which I have embedded a panel in my web application. The URL which calls the Grafana contains a token that is set in proxy_set_header in Nginx configuration like below.

server {

        server_name melta.grafana.in www.melta.grafana.in;

        location / {
           proxy_pass http://localhost:3000;
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection 'upgrade';
           proxy_set_header Host $host;
           proxy_cache_bypass $http_upgrade;
           proxy_set_header Authorization "Bearer $arg_token";
        }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/melta.grafana.in/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/netvm2.grafana.yavar.in/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = melta.grafana.in) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        listen [::]:80;

        proxy_set_header Authorization "Bearer $arg_token";
        server_name melta.grafana.in www.melta.grafana.in;
  return 404; # managed by Certbot
}

Once I open the grafana application I am getting the error as 

{“message”:“Invalid Basic Auth Header”}


I think there’s probably an issue with your nginx config. For instance, I don’t think that setting proxy_set_header is possible within the server block. Also not clear how $arg_token is set in this case.

To narrow down the source of the issue, you can try and see if you can access your Grafana instance directly with the Authorization header set as needed, and check the behavior there. If I had to guess, I’d say that this is unlikely to be an issue on Grafana’s end.

@svetb When we set the token directly in Nginx we don’t see any issues.i.e.

proxy_set_header Authorization "Bearer rerevdnfnofodniuwe332ifofnwefn32";

There is no missing auth header issue but when we pass the token dynamically we are getting this issue

Ok, that’s good. So then I suppose this is a relevant question to investigate:

@svetb My goal is to embed the iframe in my Angular application. Once embed i was getting the login screen instead of the actual screen. So to bypass the login screen I have created an HTTP API key as mentioned in the docs from Grafana with view role.

In this doc, it is mentioned that I need to pass the token in the authorization header but with iframe, i can’t pass the token in the header. So I have created a query parameter named token in the query like below

https://melta.grafana.in/d-solo/JuuWpXyMz/home?orgId=1&refresh=5s&from=1630301968567&to=1630305568567&panelId=12&token=eyJrIjoiTXJUN3p0Z3pkMEhBdFp2Z0RBSTJGZkdMc1hhWlJMTjAiLCJuIjoiYXV0aHRva2VuIiwiaWQiOjF9

And in the Nginx configuration, i am receiving the token which is sent from the above query and setting it in the Authorization Bearer token and proxy pass to Grafana.

So in this place only we are getting the missing auth header issue.I hope the above details would help you to investigate further.

If the above approach is not feasible could u pls suggest other ways to embed an iframe in the Angular application without authentication? (I have tried anonymous auth but i feel it is not secure)

Ok, got it. What you describe should work in principle (although it’s still pretty lackluster in terms of security - since any user will have direct access to your hardcoded token, via the UI…).

I think your next step is to enable debug logging in Nginx and see what’s going on there. Make sure that the token is actually included in the header as you need it to be. Maybe also check the Grafana log, to make sure that the request that’s being received is what you expect it to be. You could even make the proxy point to a separate “toy” server that you set up (instead of Grafana) and ensure that the token is included in the request.

Basically, I don’t think that the issue you’re facing is a Grafana issue - I think it’s an nginx/general setup issue.