NGINX Proxy from New Domain to Old Domain

I am currently running a Grafana server with an NGINX server in front of it to server up from my
grafana.olddomain.uk

location / {
    proxy_pass         http://127.0.0.1:3000;
}

I would like to proxy from my new domain (https://my.newdomain/grafana) to the old domain but have been hitting problems with the config:

location /grafana {
  max_ranges 0;
  rewrite ^/grafana/(.*)$  /$1  break;
  proxy_pass https://grafana.olddomain.uk/;
  proxy_ssl_server_name on;
  proxy_ssl_trusted_certificate /etc/nginx/conf.d/trusted_ca_cert.pem;
  proxy_set_header Host $host;
}

This is throwing an error cleared being served by Grafana:

If you're seeing this Grafana has failed to load its application files

1. This could be caused by your reverse proxy settings.
2. If you host grafana under subpath make sure your grafana.ini root_url setting includes subpath
3. If you have a local dev build make sure you build frontend using: yarn start, yarn start:hot, or yarn build
4. Sometimes restarting grafana-server can help

So that seems pretty clear, I am using a sub folder now and need to change grafana.ini but that will break grafana.olddomain.uk.

What do I need in my newdomain location to get this working?

Hi @snazzybootman ,

If I understand correctly, you want all traffic sent to new.uk to redirect to old.uk, which then will proxy-pass all traffic to localhost:3000.

I would instead have new.uk proxy-pass to localhost:3000 and then set a redirect policy for old.uk. In other words:

Make sure you have an A record in your DNS settings so that new.uk points to whatever IP grafana-server is running on. Now replace old.uk with new.uk in your existing server block on the line that starts server_name:

  • Save the file
  • Make sure the edited file is linked a copy in /nginx/sites-enabled/
  • run sudo nginx -t to check your config
  • if no errors, then run sudo systemctl restart nginx

Great, you’ve now pointed your new domain at grafana-server and directed all traffic to new.uk to redirect to localhost:3000, where Grafana is running.

Now the only problem is setting up a redirect policy for old.uk.

To set up a good redirect policy, I would suggest reading this excellent tutorial on how to set up temporary and permanent redirects on Nginx

Happy Friday and I hope this helps!

~matt

Hi Matt,

Well that would be rather tricky - the NGINX server for old.uk resides on the same machine as Grafana localhost:3000 and new.uk is in an entirely different network segment. This really should be as simple as setting up a proxy_pass directive but it’s not. Any idea why?

Not sure about it being a network anti pattern its very common to use a reverse proxy to access other web applications that are not exposed to the end user.

Hi @snazzybootman ,

I guess I’m not picturing your networking architecture well enough. I was most curious about the https://my.newdomain/grafana ==> https://grafana.olddomain.uk/ ==> grafana-server redirection chain.

As you say in your original post, you want to proxy one domain to another domain, which is then proxying to localhost:3000. Do you need the middleman?

In other words, are you saying that the DNS for new.uk points to, say, virtual-machine-1 where you are running some-services, and the DNS for old.uk points to virtual-machine-2, where you are running grafana behind Nginx?

Hi Matt,

old.uk is actively in use everyday and will continue to do so for some time. grafana.olddomain.uk points at an EC2 server running NGINX/GRAFANA.

The grafana-server is running on localhost:3000 is not exposed to anything other than an NGINX server on the EC2 host (nor will it ever be).

my.new.domain.uk is a Fargate container running NGINX as a reverse proxy to multiple web applications in various places. I need to be able to use https://my.newdomain.uk/grafana to hit the old domains Grafana front end which happens to be an NGINX server (that shouldn’t even be a factor here but it seems it is).

I apologise for my use of the words old/new they seem to have caused some confusion. Maybe I should have said current (old) and additional (new).

ok! I think I have a much clearer picture. I have one suggestion based on a very similar setup that I’m running. If it doesn’t help ya out, then I can ping some of the backend engineers on the team. I use a server block like this to pass traffic into/out of proxies:

        server_name example.com;

        location /metrics {
            allow 104.236.x.xxx;
            deny all;
            proxy_pass           http://localhost:9100/metrics;
        }

        location /elastic {
            allow 104.236.x.xxx;
            deny all;
            proxy_pass           http://localhost:9200/;

So I’m wondering, if you use IP Tables or UFW or whatever to expose port 3000, and then lock the port down using allow new-ip and deny all, would that get you closer? So you have a new server block like:

        server_name https://grafana.olddomain.uk/;

        location /{
            allow new-ip-here;
            deny all;
            proxy_pass           http://localhost:3000;
        }

and then on the other machine you redirect location /grafana { to old-ip:3000 rather than the old-domain-name.

Thoughts?

Hi Matt,

Thats pretty much what I have now and I am getting an odd redirect instead of the login page (according to the curl response I have). Yes the EC2 host is running firewalld, selinux and security groups are in place. Unencrypted traffic over the AWS backbone is a very bad idea thus the secured reverse proxies.

Would love to hear some ideas on how to get the new proxy config in the right shape if its not to much trouble? It should be such a simple thing to do so I am sure if I missed something really obvious.

I have a strong feeling it’s to do with serving Grafana under a subpath. For some reason that seems to consistently cause headaches. There are a few threads on here discussing the issue - and sharing working (as well as non-working) configs; maybe check this one from a few days ago: Serve Grafana through reverse proxy (nginx)

1 Like

Yes I have seen a few of these in the forum but even trying the one you posted @svetb I still see that the path /grafana/ is getting through to Grafana. I can only assume that the sub folder is not getting rewritten which is very odd:

t=2021-04-19T09:53:01+0100 lvl=info msg="Request Completed" logger=context userId=0 orgId=0 uname= method=GET path=/grafana/ status=404 remote_addr=127.0.0.1 time_ms=1 size=24226 referer=

If I then set the config to this (removing the $request_url in the proxy_pass) I get a 404 for the login page that is clearly not hitting Grafana (served up by the new domain NGINX server). I can see that my request is being rewritten to path=/ but the redirect to /login never happens This is because the newdomain proxy is getting the redirect as https://my.newdomain/login :

location ^~ /grafana/ {
      proxy_ssl_server_name on;
      proxy_ssl_trusted_certificate /etc/nginx/conf.d/trusted_ca_cert.pem;
      proxy_pass https://grafana.olddomain.uk/;
    }

I must be missing a proxy_set_header or maybe I just need to work around what is getting returned and add another location block for path=/login (which seems like the wrong thing to do).

I had a bit more of a think about this. I really feel like I had something like this working last week, but can’t seem to reproduce it now.

And on reflection, I’m actually not totally sure whether what you’re trying to do will work. Specifically, because you need Grafana to be available on two different domains, where it is served under a subpath one one, but not on the other. If it was a subpath on both, you would just enable the serve_from_sub_path flag on the Grafana server and be done with it, but I guess that’s not an option here.

As you correctly observed, if a user tries to go to /grafana/ on newdomain, if the proxying is working correctly, they will be served / on olddomain. So far so good, but Grafana will come back with a 302 Redirect response to /login, which itself is obviously not proxied. And I agree with you that trying to proxy every path that Grafana might send the user to is a fool’s errand.

What you need to do may be possible with some fancier rewrites on the nginx proxy, but I’m afraid I don’t have an answer off the top of my head.

1 Like

So after a lot of attempts at getting a sub path working I had to give up and set this up on root. This required splitting all the configurations up into separate sites.

location / {
  max_ranges 0;
  proxy_pass https://grafana.olddomain.uk/;
  proxy_ssl_server_name on;
  proxy_ssl_trusted_certificate /etc/nginx/conf.d/trusted_ca_cert.pem;
  proxy_set_header Host $host;
}
1 Like