So, I’m starting to feel pretty crazy. I’m unable to access grafana through the https proxy. I’ve looked at the documentation for this a multitude of times. Here is my nginx config:
With that setup, I have the following in my grafana.ini file.
instance_name = my.domain.name
[server]
protocol = https
# The http port to use
http_port = 3000
# The public facing domain name used to access grafana from a browser
domain = my.domain.name
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
enforce_domain = true
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://my.domain.name/
# https certs & key file
cert_file = /etc/grafana/cloud_flare_cert.pem
cert_key = /etc/grafana/cloud_flare_key.pem
For the life of me, I cannot figure out what I can’t access grafana by heading to https://my.domain.name.
I do see the following text in my nginx error.log file when I attempt to load the URL:
2019/05/07 05:28:32 [error] 6443#6443: *1 upstream sent no valid HTTP/1.0 header while reading response header from upstream
I’m hoping I’m just tired and missed something silly somewhere. As the cert file names show, I am behind Cloudflare, but I’m not sure what that does in terms of accessibility.
instance_name = my.domain.name
[server]
#here
protocol = http
# The http port to use
http_port = 3000
# The public facing domain name used to access grafana from a browser
domain = my.domain.name
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
enforce_domain = true
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://my.domain.name/
# https certs & key file
#Here
#cert_file = /etc/grafana/cloud_flare_cert.pem
#cert_key = /etc/grafana/cloud_flare_key.pem
you do not need (I do not believe) https between grafana and the Nginx.
Or maybe you can edit Nginx.conf, But I’m not sure.
> instance_name = my.proxy.com
> [server]
>
> # Protocol (http, https, h2, socket)
>
> protocol = http
>
> # The ip address to bind to, empty will bind to all interfaces
>
> ;http_addr =
>
> # The http port to use
>
> http_port = 3000
>
> # The public facing domain name used to access grafana from a browser
>
> domain = my.proxy.com
>
> # Redirect to correct domain if host header does not match domain
>
> # Prevents DNS rebinding attacks
>
> enforce_domain = true
>
> # The full public facing url you use in browser, used for redirects and emails
>
> # If you use reverse proxy and sub path specify full url (with sub path)
>
> #root_url = %(protocol)s://%(domain)s:%(http_port)s/
>
> root_url = https://my.proxy.com/
>
> # Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
>
> ;serve_from_sub_path = false
>
> # Log web requests
>
> ;router_logging = false
>
> # the path relative working path
>
> #static_root_path = public
>
> # enable gzip
>
> enable_gzip = false
>
> # https certs & key file
>
> #cert_file = /etc/nginx/ssl-certs/godaddy_cert.crt
>
> #cert_key = /etc/nginx/ssl-certs/godaddy_key.key
hi, we are trying with this configuration in nginx.conf
server {
listen 443 ssl http2 default_server;
ssl_certificate "/etc/nginx/cert/cert.pem";
ssl_certificate_key "/etc/nginx/cert/certkey.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /usr/share/nginx/html;
location / {
}
location /grafana/
{
proxy_pass https://localhost:3000/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
#add_header Access-Control-Allow-Origin $http_origin; #this mirrors back whatever domain the request came from as authorized, as
#add_header "Access-Control-Allow-Credentials" "true"; #as long as it matches one of your if statements
#add_header "Access-Control-Allow-Methods" "GET, OPTIONS";
#add_header "Access-Control-Allow-Headers" "Authorization, origin, accept";
#rewrite ^/grafana/(.*) /$1 break;
}
}
and this in grafana.ini, but it does not work
[server]
# Protocol (http, https, h2, socket)
protocol = http
# The ip address to bind to, empty will bind to all interfaces
;http_addr =
# The http port to use
http_port = 3000
# The public facing domain name used to access grafana from a browser
;domain = localhost
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
enforce_domain = true
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://10.138.1.117:3000/grafana/
# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
serve_from_sub_path = true
# Log web requests
;router_logging = false
# the path relative working path
;static_root_path = public
# enable gzip
;enable_gzip = false
# https certs & key file
cert_file = /etc/ssl/certs/cert.pem
cert_key = /etc/ssl/certs/certkey.pem
but the proxy does not work, can you see anything?
if the proxy already ssl terminate, I think you don’t need run grafana in https mode.
So, you can comment the cert in grafana.ini and root_url just the domain of the vhost in the nginx.conf.
Also, the nginx.conf since using https, you need to put server_name according to your ssl certificare name.
First of all, make sure the grafana starting at port 3000 using curl http://localhost:3000,
then you can check the nginx using nginx -t to make sure all the configuration is good.\
After all test woked fine, just restart the nginx,
To make sure all the setup working, you can use curl https://<your_server_name>/grafana
