How to use auth proxy with nginx?

There is a good guide from Digital Ocean community for anyone getting started with Grafana and Nginx:

1 Like

Thanks,it works
Also remember to check the error.log of nginx to know why, if something goes wrong.
grafana.ini
image
nginx.conf
image

3 Likes

Thanks,
I am new to Reverse proxy and Grafana. I need your suggestions .
In this post you mentioned about password file . I am using windows 10 machine and where should I create this password file and what it should contain??.
After doing all these (Grafana NGinx configuration ) What do I need to do? On Which URL I am able to get the grafana page ??.

For the password file on windows you can use this tool and store the file in the location where the auth_basic_user_file is pointing to:

https://www.htpasswdgenerator.com/download_htpasswd_generator.html

As for accessing the grafana through the reverse proxy. Note that your server is listening on localhost and port (or any other definition you have in the configuration) :

listen <%= ENV[“PORT”] %>;
server_name localhost;

Also, note that you’ve set a prefix for grafana proxying:

location ~ ^/grafana/(.*)

or

location /grafana/

Then you can access the grafana server like this:

http://localhost:<PORT>/grafana

Sometimes I find that you have to specify the org:

http://localhost:<PORT>/grafana?orgId=1

Thanks @roy651
This what I tried
nginx.conf

worker_processes 1;
daemon off;

#error_log C:\Users\Mahadev\Documents\Influx\nginx-1.14.0\logs\error.log;
events { worker_connections 1024; }

http {
  log_format cloudfoundry '$http_x_forwarded_for - $http_referer - [$time_local] "$request" $status $body_bytes_sent';
  #access_log C:\Users\Mahadev\Documents\Influx\nginx-1.14.0\logs\access.log cloudfoundry;
  default_type application/octet-stream;
  include mime.types;
  sendfile on;
  gzip on;
  tcp_nopush on;
  keepalive_timeout 60;

  upstream grafana_backend {
    server localhost:3000;
  }

  server {
    listen 80;
    server_name localhost;

    set $upstream localhost:3000;

    auth_basic "Restricted";
    auth_basic_user_file C:\Users\Mahadev\Documents\Influx\nginx-1.14.0\Htpasswd_Generator\auth_basic_user_file.htpasswd;

    location ~ /\.ht { deny  all; }

    #location ~ ^/grafana/(.*) {
    location /grafana/ {
      proxy_pass http://grafana_backend/$1;

      proxy_set_header  Host $upstream;
      proxy_set_header  X-Real-IP $remote_addr;
      proxy_set_header  X-Forwarded-Proto http;
      proxy_set_header  X-Forwarded-For $upstream;
      proxy_set_header  X-Forwarded-Host $upstream;

      proxy_set_header X-WEBAUTH-USER $remote_user;
      proxy_set_header Authorization "";

    }

    #location / {
    #  root <%= ENV["APP_ROOT"] %>/public/release;
    #  index index.html index.htm Default.htm;
    #  try_files $uri $uri/ =404;
    #}
  }
}

defaults.ini

   [auth.proxy]
   enabled = True
   header_name = X-WEBAUTH-USER
   header_property = username
   auto_sign_up = true
   ldap_sync_ttl = 60
   whitelist =

[server]
root_url = http://localhost:3000/grafana

[users]
# disable user signup / registration
allow_sign_up = false

After doing this I started nginx.exe

**auth_basic_user_file.htpasswd** file

#-->>   This file was generated in 'Htpasswd Generator' (7/9/2018)    <---#
#--->                    www.HtpasswdGenerator.com                    <---#
#--->                                                                 <---#
#--->   Total users:    1                                             <---#
#--->   Disabled users: 0                                             <---#
#--->>+++

mahadev.merahkee@gmail.com:$apr1$m//.....$m3GxZryaxA9GkBMKL4U.a/
  #-->>User extra data<---#
  #+++>FirstName=Mahadev<+++#
  #+++>RealPassword=kSA7S/X7q34=<+++#
  #+++>Email=mahadev.merahkee@gmail.com<+++#
  #+++>AddDate=43290<+++#
  #--->>+++

When I access Grafana with both the links

  1. http://localhost:3000/grafana
  2. http://localhost:3000/grafana?orgId=1

I got this page in Browser (link )

What else Do I need to do?? and Why I am not able to see grafana.
Note: Grafana version 5.2.1
OS: Win 10 pro

@roy651
I will clarify what I am trying to do.
I have a webapplication [PHP] which has a login page (uses Mysql DB to store data) and This application will return lot of timeseries data’s. I am storing them In InfluxDB. To dashboard Those Data I am using Grafana.
My requirement is , When User logins to the web application with username: user and password:pass at the same time it should be possible to login to Grafana automatically using same username and password .

My first question: Is it feasible ??
Am I in right way??
I need your suggestions.

I believe your mistake is in the defaults.ini.
Should be:

[server]
http_port = 3000
domain = localhost
root_url = http://localhost:80/grafana/

The root_url should point to the url of the proxy server, allowing grafana to re-write the inner URLs to point back to grafana beyond the proxy.

Also - the access to grafana will only be available through the originating proxy server and not directly through the port 3000 i.e.:

http://localhost:80/grafana

or

http://localhost/grafana/?orgId=1

Thanks
Still I am not able to do
In defaults.ini
root_url = http://localhost:80/grafana

Link 1

Link2

Link 1 - is good - it means you’re hooking into the basic authentcation and you should fill the credentials you used int he htpasswd

Link 2 - is an error coming probably from grafana. Not sure exactly what. this needs further looking into the logs.

Just in case: try it with ?orgId=1

Thanks again
But still I am getting 500 error with orgId=1 also,

What’s your comment on my -

Error 500 must manifest also in either the nginx logs or the grafana logs - Start by looking there.
It appears that you’re reverse-proxy is configured fine, but something else is causing the error.

Per your earlier comment: this is feasible and this is the right track.

If I access Grafana with localhost:3000 I am able to use but when I configure

    server {
    listen 80;
    server_name localhost;

And try to access using localhost:80/grafana I am getting 500 error code. I am not able to figure out where the issue is.

Can you give some suggestions on on configuring Grafana with openLDAP.

Can you please clarify me that where I am doing wrong.

default…ini
[auth.basic]
enabled = true

#################################### Auth Proxy ##########################
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
ldap_sync_ttl = 60
whitelist =192.168.0.7

nginx.conf

  server {
    listen 80;
    server_name localhost;

    set $upstream localhost:3000;

    # auth_basic "Restricted";
    # auth_basic_user_file C:\Users\Mahadev\Desktop\grafana.htpasswd;

    location ~ /\.ht { deny  all; }

    #location ~ ^/grafana/(.*) {
    location /grafana/ {
        auth_basic "grafana";
        auth_basic_user_file "C:\Users\Mahadev\Desktop\grafana.htpasswd";
        proxy_pass http://localhost:3000/;
        proxy_set_header X-WEBAUTH-USER $remote_user;
        proxy_set_header Authorization "";
    #   proxy_pass http://localhost:3000/;

    #   proxy_set_header  Host $upstream;
    #   proxy_set_header  X-Real-IP $remote_addr;
    #   proxy_set_header  X-Forwarded-Proto http;
    #   proxy_set_header  X-Forwarded-For $upstream;
    #   proxy_set_header  X-Forwarded-Host $upstream;

    #   proxy_set_header X-WEBAUTH-USER $remote_user;
    #   proxy_set_header Authorization "";

    }

    #location / {
    #  root <%= ENV["APP_ROOT"] %>/public/release;
    #  index index.html index.htm Default.htm;
    #  try_files $uri $uri/ =404;
    #}
  }

Then I am able to get link with http://localhost:3000/grafana/

Here is my grafana.httpasswd file

yajana:$apr1$APBsYsDZ$vgnxlhxZL7hyMw2l8GK/t.
deepak123@gmail.com:$apr1$m6pk2hdo$PX0TvEWCGLjMFbq6.sEQ10

But I am not able to login to the grafana . Can you please tell me where I am doing wrong

I’m not familiar with grafana connectivity to LDAP and can’t relate.
Also, difficult for me to comment on the situation without the error from the server side.

2 small things I noticed:

  • I don’t think you need the basic auth on the grafana side (unless it’s related to the LDAP)
  • I haven’t seen the grafana port configuration.

Again posting here a sample defaults.ini file, which works for me (note that my webserver listens on 8080) :

[server]
http_port = 3000
domain = localhost
root_url = http://localhost:8080/grafana/
#root_url = http://localhost:3000/
[users]
allow_sign_up = false
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
1 Like

Thanks this works fine for me

Hi
can any one help me Grafana
[auth.generic_oauth] using aws oAuth2 sso login

Hi. Do u mind sharing with me the steps u have tAken to create reverse proxy with grafana? Im not sure where should i create the nxingx file. Im using window and not much example available