I have a grafana instance on which I would like to restrict admin interfaces to a set of specific IPs.
My grafana instance runs behind an NGINX instance.
I have thought of 2 options in order to achieve this :
- Whitelist grafana subpaths such as grafana/admin or grafana/datasources on my NGINX proxy.
- Whitelist IPs of admin users.
The first option seemed to be the most feasible to me so I added NGINX IP whitelisting on the specific subpaths. This works well when the user tries to issue a request directly to the subpath, but I encounter an issue when the user starts by reaching the root url.
Indeed, Grafana is a Single Page Application, so after reaching the root url, when a user clicks on the admin interface button, the new components are served directly by the client without issuing a request to the server, which means no new request goes through the nginx server, preventing the whitelisting to take place.
After seeing this, it looks like I will not be able to implement the first option successfully since I would need to add some logic on the client side (so inside Grafana’s code) to block IPs for some subpaths.
The second option also seems hardly achievable since I did not find any way to restrict access on specific IPs based on the role in the Grafana documentation.
Would anyone have any idea how to achieve this ?
Thanks in advance for your help !