How to use auth proxy with nginx?

I want to use the nginx server as the grafana auth proxy server . Who can tell me the truth!

Did you get it working?

Here are some links:

For what it’s worth, thought I’d share here (and a couple of other places… cause it took me a while to crack…) how I linked my grafana to nginx authproxy using basic authentication:

NGINX.CONF: (you have to create the password file beforehand)

worker_processes 1;
daemon off;
error_log <%= ENV["APP_ROOT"] %>/logs/error.log;
events { worker_connections 1024; }

http {
  log_format cloudfoundry '$http_x_forwarded_for - $http_referer - [$time_local] "$request" $status $body_bytes_sent';
  access_log <%= ENV["APP_ROOT"] %>/nginx/logs/access.log cloudfoundry;
  default_type application/octet-stream;
  include mime.types;
  sendfile on;
  gzip on;
  tcp_nopush on;
  keepalive_timeout 30;

  server {
    listen <%= ENV["PORT"] %>;
    server_name localhost;

    # The internal IP of the VM that hosts the grafana
    set $upstream <%= ENV["GRAFANA_HOST"] %>:<%= ENV["GRAFANA_PORT"] %>;
    auth_basic "Users Area";
    auth_basic_user_file .htpasswd; 

    location ~ /\.ht { deny  all; }

    location ~ ^/grafana/(.*) {
      proxy_pass http://$upstream/$1;
      proxy_set_header X-WEBAUTH-USER $remote_user;
      proxy_set_header Authorization "";
    }

    location / {
      root <%= ENV["APP_ROOT"] %>/release;
      index index.html index.htm Default.htm;
      try_files $uri $uri/ =404;
    }
  }
}

And the minimal grafana.ini setup:

[server]
http_port = 3001
domain = localhost
root_url = http://grafana.staged-by-discourse.com/grafana/
[users]
allow_sign_up = false
[auth.proxy]
enabled = true
1 Like

I’ve actually had to alter the nginx.conf after I’ve pushed my service to the cloud…
Due to the fact that the server forwards are done over IP addresses (after nginx resolved the domain name) and when working in cloud environments it is often the case that the routing is very much dependent on the domain name, since many machines share the same IP…
SO - I had to pass in the desired domain inside the forward host header!
I’m not sure exactly which header exactly made the difference but for what it’s worth I’m pasting the updated nginx.conf here:

worker_processes 1;
daemon off;

error_log <%= ENV["APP_ROOT"] %>/nginx/logs/error.log;
events { worker_connections 1024; }

http {
  log_format cloudfoundry '$http_x_forwarded_for - $http_referer - [$time_local] "$request" $status $body_bytes_sent';
  access_log <%= ENV["APP_ROOT"] %>/nginx/logs/access.log cloudfoundry;
  default_type application/octet-stream;
  include mime.types;
  sendfile on;
  gzip on;
  tcp_nopush on;
  keepalive_timeout 30;

  upstream grafana_backend {
    server <%= ENV["GRAFANA_HOST"] %>:<%= ENV["GRAFANA_PORT"] %>;
  }

  server {
    listen <%= ENV["PORT"] %>;
    server_name localhost;

    set $upstream <%= ENV["GRAFANA_HOST"] %>:<%= ENV["GRAFANA_PORT"] %>;

    auth_basic "Restricted";
    auth_basic_user_file <%= ENV["APP_ROOT"] %>/.htpasswd;

    location ~ /\.ht { deny  all; }

    location ~ ^/grafana/(.*) {
      proxy_pass http://grafana_backend/$1;

      proxy_set_header  Host $upstream;
      proxy_set_header  X-Real-IP $remote_addr;
      proxy_set_header  X-Forwarded-Proto http;
      proxy_set_header  X-Forwarded-For $upstream;
      proxy_set_header  X-Forwarded-Host $upstream;

      proxy_set_header X-WEBAUTH-USER $remote_user;
      proxy_set_header Authorization "";

    }

    location / {
      root <%= ENV["APP_ROOT"] %>/public/release;
      index index.html index.htm Default.htm;
      try_files $uri $uri/ =404;
    }
  }
}

There is a good guide from Digital Ocean community for anyone getting started with Grafana and Nginx:

1 Like

Thanks,it works
Also remember to check the error.log of nginx to know why, if something goes wrong.
grafana.ini
image
nginx.conf
image

3 Likes

Thanks,
I am new to Reverse proxy and Grafana. I need your suggestions .
In this post you mentioned about password file . I am using windows 10 machine and where should I create this password file and what it should contain??.
After doing all these (Grafana NGinx configuration ) What do I need to do? On Which URL I am able to get the grafana page ??.

For the password file on windows you can use this tool and store the file in the location where the auth_basic_user_file is pointing to:

https://www.htpasswdgenerator.com/download_htpasswd_generator.html

As for accessing the grafana through the reverse proxy. Note that your server is listening on localhost and port (or any other definition you have in the configuration) :

listen <%= ENV[“PORT”] %>;
server_name localhost;

Also, note that you’ve set a prefix for grafana proxying:

location ~ ^/grafana/(.*)

or

location /grafana/

Then you can access the grafana server like this:

http://localhost:<PORT>/grafana

Sometimes I find that you have to specify the org:

http://localhost:<PORT>/grafana?orgId=1

Thanks @roy651
This what I tried
nginx.conf

worker_processes 1;
daemon off;

#error_log C:\Users\Mahadev\Documents\Influx\nginx-1.14.0\logs\error.log;
events { worker_connections 1024; }

http {
  log_format cloudfoundry '$http_x_forwarded_for - $http_referer - [$time_local] "$request" $status $body_bytes_sent';
  #access_log C:\Users\Mahadev\Documents\Influx\nginx-1.14.0\logs\access.log cloudfoundry;
  default_type application/octet-stream;
  include mime.types;
  sendfile on;
  gzip on;
  tcp_nopush on;
  keepalive_timeout 60;

  upstream grafana_backend {
    server community.grafana.com;
  }

  server {
    listen 80;
    server_name localhost;

    set $upstream community.grafana.com;

    auth_basic "Restricted";
    auth_basic_user_file C:\Users\Mahadev\Documents\Influx\nginx-1.14.0\Htpasswd_Generator\auth_basic_user_file.htpasswd;

    location ~ /\.ht { deny  all; }

    #location ~ ^/grafana/(.*) {
    location /grafana/ {
      proxy_pass http://grafana_backend/$1;

      proxy_set_header  Host $upstream;
      proxy_set_header  X-Real-IP $remote_addr;
      proxy_set_header  X-Forwarded-Proto http;
      proxy_set_header  X-Forwarded-For $upstream;
      proxy_set_header  X-Forwarded-Host $upstream;

      proxy_set_header X-WEBAUTH-USER $remote_user;
      proxy_set_header Authorization "";

    }

    #location / {
    #  root <%= ENV["APP_ROOT"] %>/public/release;
    #  index index.html index.htm Default.htm;
    #  try_files $uri $uri/ =404;
    #}
  }
}

defaults.ini

   [auth.proxy]
   enabled = True
   header_name = X-WEBAUTH-USER
   header_property = username
   auto_sign_up = true
   ldap_sync_ttl = 60
   whitelist =

[server]
root_url = http://grafana.staged-by-discourse.com/grafana

[users]
# disable user signup / registration
allow_sign_up = false

After doing this I started nginx.exe

**auth_basic_user_file.htpasswd** file

#-->>   This file was generated in 'Htpasswd Generator' (7/9/2018)    <---#
#--->                    www.HtpasswdGenerator.com                    <---#
#--->                                                                 <---#
#--->   Total users:    1                                             <---#
#--->   Disabled users: 0                                             <---#
#--->>+++

mahadev.merahkee@gmail.com:$apr1$m//.....$m3GxZryaxA9GkBMKL4U.a/
  #-->>User extra data<---#
  #+++>FirstName=Mahadev<+++#
  #+++>RealPassword=kSA7S/X7q34=<+++#
  #+++>Email=mahadev.merahkee@gmail.com<+++#
  #+++>AddDate=43290<+++#
  #--->>+++

When I access Grafana with both the links

  1. http://grafana.staged-by-discourse.com/grafana
  2. http://grafana.staged-by-discourse.com/grafana?orgId=1

I got this page in Browser (link )

What else Do I need to do?? and Why I am not able to see grafana.
Note: Grafana version 5.2.1
OS: Win 10 pro

@roy651
I will clarify what I am trying to do.
I have a webapplication [PHP] which has a login page (uses Mysql DB to store data) and This application will return lot of timeseries data’s. I am storing them In InfluxDB. To dashboard Those Data I am using Grafana.
My requirement is , When User logins to the web application with username: user and password:pass at the same time it should be possible to login to Grafana automatically using same username and password .

My first question: Is it feasible ??
Am I in right way??
I need your suggestions.

I believe your mistake is in the defaults.ini.
Should be:

[server]
http_port = 3000
domain = localhost
root_url = http://localhost:80/grafana/

The root_url should point to the url of the proxy server, allowing grafana to re-write the inner URLs to point back to grafana beyond the proxy.

Also - the access to grafana will only be available through the originating proxy server and not directly through the port 3000 i.e.:

http://localhost:80/grafana

or

http://localhost/grafana/?orgId=1

Thanks
Still I am not able to do
In defaults.ini
root_url = http://localhost:80/grafana

Link 1

Link2

Link 1 - is good - it means you’re hooking into the basic authentcation and you should fill the credentials you used int he htpasswd

Link 2 - is an error coming probably from grafana. Not sure exactly what. this needs further looking into the logs.

Just in case: try it with ?orgId=1

Thanks again
But still I am getting 500 error with orgId=1 also,

What’s your comment on my -

Error 500 must manifest also in either the nginx logs or the grafana logs - Start by looking there.
It appears that you’re reverse-proxy is configured fine, but something else is causing the error.

Per your earlier comment: this is feasible and this is the right track.

If I access Grafana with community.grafana.com I am able to use but when I configure

    server {
    listen 80;
    server_name localhost;

And try to access using localhost:80/grafana I am getting 500 error code. I am not able to figure out where the issue is.

Can you give some suggestions on on configuring Grafana with openLDAP.

Can you please clarify me that where I am doing wrong.

default…ini
[auth.basic]
enabled = true

#################################### Auth Proxy ##########################
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
ldap_sync_ttl = 60
whitelist =192.168.0.7

nginx.conf

  server {
    listen 80;
    server_name localhost;

    set $upstream community.grafana.com;

    # auth_basic "Restricted";
    # auth_basic_user_file C:\Users\Mahadev\Desktop\grafana.htpasswd;

    location ~ /\.ht { deny  all; }

    #location ~ ^/grafana/(.*) {
    location /grafana/ {
        auth_basic "grafana";
        auth_basic_user_file "C:\Users\Mahadev\Desktop\grafana.htpasswd";
        proxy_pass http://grafana.staged-by-discourse.com/;
        proxy_set_header X-WEBAUTH-USER $remote_user;
        proxy_set_header Authorization "";
    #   proxy_pass http://grafana.staged-by-discourse.com/;

    #   proxy_set_header  Host $upstream;
    #   proxy_set_header  X-Real-IP $remote_addr;
    #   proxy_set_header  X-Forwarded-Proto http;
    #   proxy_set_header  X-Forwarded-For $upstream;
    #   proxy_set_header  X-Forwarded-Host $upstream;

    #   proxy_set_header X-WEBAUTH-USER $remote_user;
    #   proxy_set_header Authorization "";

    }

    #location / {
    #  root <%= ENV["APP_ROOT"] %>/public/release;
    #  index index.html index.htm Default.htm;
    #  try_files $uri $uri/ =404;
    #}
  }

Then I am able to get link with http://grafana.staged-by-discourse.com/grafana/

Here is my grafana.httpasswd file

yajana:$apr1$APBsYsDZ$vgnxlhxZL7hyMw2l8GK/t.
deepak123@gmail.com:$apr1$m6pk2hdo$PX0TvEWCGLjMFbq6.sEQ10

But I am not able to login to the grafana . Can you please tell me where I am doing wrong

I’m not familiar with grafana connectivity to LDAP and can’t relate.
Also, difficult for me to comment on the situation without the error from the server side.

2 small things I noticed:

  • I don’t think you need the basic auth on the grafana side (unless it’s related to the LDAP)
  • I haven’t seen the grafana port configuration.

Again posting here a sample defaults.ini file, which works for me (note that my webserver listens on 8080) :

[server]
http_port = 3000
domain = localhost
root_url = http://localhost:8080/grafana/
#root_url = http://grafana.staged-by-discourse.com/
[users]
allow_sign_up = false
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
1 Like