Grafana behind Nginx configuration

Grafana Configuration
1

  • What Grafana version and what operating system are you using?
    Grafana V9.0.3 OSS

  • What are you trying to achieve?
    I am trying to restrict grafana users to only access the grafana login page thru reverse proxy (NGINX). I have a grafana instance running on port 3000 behind the nginx reverse proxy on the same local machine.
    reverse proxy works well, however I can still access the grafana thru http://grafana.staged-by-discourse.com, what I want is no once can access this web page, I want all grafana user to access the grafana thru nginx reverse proxy.

  • How are you trying to achieve it?
    I haven’t yet seen any blogs or tutorials on how to restric the users.

  • What happened?
    I can still access the grafana thru http://grafana.staged-by-discourse.com

  • What did you expect to happen?
    Grafana instance can only be access thru my nginx reverse proxy.

  • Can you copy/paste the configuration(s) that you are having problems with?
    This is my config on nginx:

    image
    image629×521 14 KB

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    No errors

  • Did you follow any online instructions? If so, what is the URL?
    I haven’t seen any blog related to this.

2

I don’t think what you want is entirely possible using a proxy_pass. If you are proxying to local port 3000 then that port by definition must be open locally.

Are you running a server? Or is this a closed network? Access to localhost shouldn’t be a problem if you are running Grafana on a VM or cluster and access to the vm / cluster is locked down

3

also, these are the types of config issues that are entirely eliminated when one uses Grafan cloud. You should set up a free-forever account and see if it makes setup easier:

The new Grafana Cloud: the only composable observability stack for metrics, logs, and traces, now with free and paid plans to suit every use case | Grafana Labs.

4

My Nginx and Grafana instance is running on same machine.

Will it be possible to close the port 3000 for non localhost (any client computers connected to a network) accessing the grafana?

And just open port for nginx which is port 443.
From there, they cannot access my grafana using the http://ipaddressofmyGrafana:3000

I just dont know if possible.

5

@rikutozumoko did you find anything on this? I am running into same issue with my setup.

6

What I did is put a firewall (hardware) before my grafana server.
All clients should point to that firewall, and the firewall only allow port 443, all ports are closed.
That way they cannot access grafana on port 3000.