Grafana "Sign In" navigation item misses the subpath (behind proxy) but other nav items do not!

  • What Grafana version and what operating system are you using?
    Grafana 9.3.1

  • What are you trying to achieve?
    After update to Grafana 9.3.1 from 9.2.6.

  • How are you trying to achieve it?

  • What happened?
    login URL in nav menu item “Sign In” is wrong – missing the subpath. The site is behind a proxy. Although all other menu URLs are correct for example: https://domain.com/charts/dashboards" for Dashboards, the “Sign In” link is “https:/domain.com/?orgId=1&forceLogin=true” without the “charts/” subpath.
    First nav menu item (the one with the grafana logo) promotes to correct login url: “https://domain.com/charts/login”.

  • What did you expect to happen?

  • Did you receive any errors in the Grafana UI or in related logs? If so, please tell us exactly what they were.
    No errors in logs

2 Likes

:Hi @terawgm,

Welcome to the :grafana: community support forums !!

Can you please share your:

1- Grafana configuration file

2- Proxy configuration file

3- Proxy based on Apache or Nginx?

Thanks

  1. I have change only some values from the default conf file, which are:
################################## Server ###############################
[server]
#Protocol (http, https, h2, socket)
protocol = https

#The public facing domain name used to access grafana from a browser
domain = site1.domain.com

#The full public facing url you use in browser, used for redirects and emails
#If you use reverse proxy and sub path specify full url (with sub path)
root_url = https://site1.domain.com/charts/

#Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
serve_from_sub_path = true

#Log web requests
router_logging = true

#https certs & key file
cert_file = /etc/grafana/cert.pem
cert_key = /etc/grafana/key.pem

################################# Security ##################################
[security]
#default admin user, created on startup
admin_user = admin

#set to true if you host Grafana behind HTTPS. default is false.
cookie_secure = true

#set to true if you want to allow browsers to render Grafana in a frame, iframe, embed or  object.  #default is false.
allow_embedding = true

#################################### Anonymous Auth ######################
[auth.anonymous]
#enable anonymous access
enabled = true

#specify organization name that should be used for unauthenticated users
org_name = Main Org.

#specify role for unauthenticated users
org_role = Viewer

############################# Grafana Live ###################################

[live]
#allowed_origins is a comma-separated list of origins that can establish connection with Grafana Live.
#If not set then origin will be matched over root_url. Supports wildcard symbol "*".
allowed_origins = *
  1. Apache VH conf file
<VirtualHost *:443>

     ServerAdmin site1-webmasters@domain.com
     ServerName site1.domain.com

     SSLEngine On
     SSLCertificateFile /etc/ssl/certs/site1.crt
     SSLCertificateKeyFile /etc/ssl/private/site1.key

     AddDefaultCharset UTF-8
     RewriteEngine On

     # Make necessary changes below if php is not needed
     # php_admin_value engine off
     # Would this work without /tmp???
     php_admin_value open_basedir /var/www/site1:/tmp

     DocumentRoot /var/www/site1
     <Directory />
             Options FollowSymLinks
             AllowOverride All
     </Directory>
     <Directory /var/www/site1>
             Options FollowSymLinks MultiViews
             AllowOverride All
             Order allow,deny
             allow from all
     </Directory>

     #RequestHeader set Host "site1.domain.com" #didn't work#

     ProxyRequests Off
     ProxyPreserveHost Off
     # ProxyPreserveHost On #didn't work#
     SSLProxyEngine On

     <Location "/charts/">
             #Header set Access-Control-Allow-Origin "*" #didn't work#
             ProxyPass "https://site2.domain.com:3000/"
             ProxyPassReverse "https://site2.domain.com:3000/"
     </Location>

     ErrorLog /var/log/apache2/site1/site1-error.log

     # Possible values include: debug, info, notice, warn, error, crit,
     # alert, emerg.
     LogLevel warn

     # The below line is not needed since the 'vhosts_common' format is defined 
     # in /etc/apache2/conf-available/domain-logformat and enable at 'conf-enabled'
     #LogFormat "%v:%p %h %l %u %t:%{ms}Tms PID:%P \"%r\" %>s %O %T \"%{Referer}i\" \"%{User-Agent}i\" \"%U\" \"%q\" IO:%I/%O" vhosts_common

     CustomLog /var/log/apache2/site1/site1-access.log vhosts_common
     CustomLog "|/usr/bin/logger -p local6.info" vhosts_common

</VirtualHost>
  1. Apache on Debian

Same

Nginx conf

    location /grafana/ {
      rewrite  ^/grafana/(.*)  /$1 break;
      alias /usr/share/grafana/;
      access_log /var/log/nginx/grafana_access.log main;
      error_log /var/log/nginx/grafana_error.log;
      proxy_pass http://127.0.0.1:3000;
      proxy_set_header Host $http_host;
    }

    location /grafana/api/live/ {
      rewrite  ^/grafana/(.*)  /$1 break;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
      proxy_set_header Host $http_host;
      proxy_pass http://127.0.0.1:3000;
    }

Please check this post as I think it might help you to narrow it down when configuring a reverse proxy for Grafana.

Let us know if this helps.

Hello dear team,

I’m facing the same issue : after having migrated from 9.2.6 to 9.3.1, I lost my signing configuration that was working behind a Traefik proxy.

Here is a part of my Dockerfile configuration:

  - GF_AUTH_ANONYMOUS_ORG_ROLE=Viewer
  - GF_AUTH_ANONYMOUS_ENABLED=true
  - GF_AUTH_BASIC_ENABLED=false
  - GF_ENABLE_GZIP=true
  - GF_USERS_ALLOW_SIGN_UP=false
  - GF_SERVER_PROTOCOL=https
  - GF_SERVER_DOMAIN=test.example.com
  - GF_SERVER_ENFORCE_DOMAIN=true
  - GF_SERVER_ROOT_URL=https://test.example.com/grafana
  - GF_SERVER_SERVE_FROM_SUB_PATH=true

Before the migration, the Sign In link redirected me to https://test.example.com/grafana?orgId=1&forceLogin=true

This was working fine as my Traefik config matches to PathPrefix ‘/grafana’

After the migration, the Sign In link redirects me to https://test.example.com/?orgId=1&forceLogin=true

The subpath /grafana doesn’t appear anymore in the Sign In link and of course, my proxy sends me back a 404.

Please note that it’s not related to my Traefik configuration as it worked when I downgraded to 9.2.6 version of Grafana.

Any idea how to fix that point ?

Thanks for your help.

Vivien

Hi @vivienjacob and others too,

Well, I cannot find the reason that causes this and do not have different lab environments e.g. Trafeik Proxy.

So recommend that you can kindly open a bug report about this in our official GitHub repository using this link.

Provide all the information (you can simply copy/paste your data + screenshot from here to there).

Lastly, paste the link to your GitHub issue here so that all other community users can also track it.