Grafana / HTTPS / Nginx Proxy

So, I’m starting to feel pretty crazy. I’m unable to access grafana through the https proxy. I’ve looked at the documentation for this a multitude of times. Here is my nginx config:

server {
  server_name my.domain.name;
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl on;
  ssl_certificate /etc/ssl/certs/cloud_flare_cert.pem;
  ssl_certificate_key /etc/ssl/private/cloud_flare_key.pem;
  index index.html index.htm;

location / {
  proxy_pass http://localhost:3000/;
  proxy_set_header Host                 $http_host;
  proxy_set_header X-Real-IP            $remote_addr;
  proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto    "https";
  }
}

With that setup, I have the following in my grafana.ini file.

instance_name = my.domain.name
[server]
protocol = https

# The http port  to use
http_port = 3000

# The public facing domain name used to access grafana from a browser
domain = my.domain.name

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
enforce_domain = true

# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://my.domain.name/

# https certs & key file
cert_file = /etc/grafana/cloud_flare_cert.pem
cert_key = /etc/grafana/cloud_flare_key.pem

For the life of me, I cannot figure out what I can’t access grafana by heading to https://my.domain.name.

I do see the following text in my nginx error.log file when I attempt to load the URL:

2019/05/07 05:28:32 [error] 6443#6443: *1 upstream sent no valid HTTP/1.0 header while reading response header from upstream

I’m hoping I’m just tired and missed something silly somewhere. As the cert file names show, I am behind Cloudflare, but I’m not sure what that does in terms of accessibility.

Any assistance here would be greatly appreciated.

1 Like

You can solve it like this, edit grafana config:

instance_name = my.domain.name
[server]
#here
protocol = http

# The http port  to use
http_port = 3000

# The public facing domain name used to access grafana from a browser
domain = my.domain.name

# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
enforce_domain = true

# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://my.domain.name/

# https certs & key file
#Here
#cert_file = /etc/grafana/cloud_flare_cert.pem
#cert_key = /etc/grafana/cloud_flare_key.pem

you do not need (I do not believe) https between grafana and the Nginx.
Or maybe you can edit Nginx.conf, But I’m not sure.

location / {
  #here
  proxy_pass https://localhost:3000/;
  proxy_set_header Host                 $http_host;
  proxy_set_header X-Real-IP            $remote_addr;
  proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto    "https";
  }
3 Likes

I’ll give that a go and let you know what happens. Thanks!

Oh my word. That got me in. Thank you! So, because I’m handling the HTTPS stuff with Nginx, I need not worry about it with grafana? Good to know!

Thanks for the tip. This worked
Grafana, nginx, and letsencrypt - installed on macOS with homebrew.

Hi @danielgonzalez,

I have tried exactly the same but for am still getting the below error.

2021/04/16 11:55:28 [error] 12842#12842: *1 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 80.**.**.**, server: my.proxy.com, request: "GET / HTTP/2.0", upstream: "https://127.0.0.1:3000/", host: "my.proxy.com"

Pasting my config file details below.

/etc/nginx/sites-available/default

server {
server_name my.proxy.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/nginx/ssl-certs/godaddy_cert.crt;
ssl_certificate_key /etc/nginx/ssl-certs/godaddy_key.key;
root /var/www/example.com;
index index.html;
location / {
proxy_pass https://localhost:3000/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto “https”;
}
}

#/etc/grafana/grafana.ini

> instance_name = my.proxy.com
> [server]
> 
> # Protocol (http, https, h2, socket)
> 
> protocol = http
> 
> # The ip address to bind to, empty will bind to all interfaces
> 
> ;http_addr =
> 
> # The http port to use
> 
> http_port = 3000
> 
> # The public facing domain name used to access grafana from a browser
> 
> domain = my.proxy.com
> 
> # Redirect to correct domain if host header does not match domain
> 
> # Prevents DNS rebinding attacks
> 
> enforce_domain = true
> 
> # The full public facing url you use in browser, used for redirects and emails
> 
> # If you use reverse proxy and sub path specify full url (with sub path)
> 
> #root_url = %(protocol)s://%(domain)s:%(http_port)s/
> 
> root_url = https://my.proxy.com/
> 
> # Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
> 
> ;serve_from_sub_path = false
> 
> # Log web requests
> 
> ;router_logging = false
> 
> # the path relative working path
> 
> #static_root_path = public
> 
> # enable gzip
> 
> enable_gzip = false
> 
> # https certs & key file
> 
> #cert_file = /etc/nginx/ssl-certs/godaddy_cert.crt
> 
> #cert_key = /etc/nginx/ssl-certs/godaddy_key.key

Could you try this config file?

Thanks, @danielgonzalez for the quick update, but still am getting the same error.

Did you restart the nginx server?

Thanks @danielgonzalez, it is working. I missed to remove s from the proxy_pass http://localhost:3000/;